I say this often, and it's quite an unpopular idea, and I'm not sure why.
Security researchers, white-hat hackers, and even grey-hat hackers should have strong legal protections so long as they report any security vulnerabilities that they find.
The bad guys are allowed to constantly scan and probe for security vulnerabilities, and there is no system to stop them, but if some good guys try to do the same they are charged with serious felony crimes.
Experience has show we cannot build secure systems. It may be an embarrassing fact, but many, if not all, of our largest companies and organizations are probably completely incapable of building secure systems. I think we try to avoid this fact by not allowing red-team security researches to be on the lookout.
It's funny how everything has worked out for the benefit of companies and powerful organizations. They say "no, you can't test the security of our systems, we are responsible for our own security, you cannot test our security without our permission, and also, if we ever leak data, we aren't responsible".
So, in the end, these powerful organizations are both responsible for their own system security, and yet they also are not responsible, depending on whichever is more convenient at the time. Again, it's funny how it works out that way.
Are companies responsible for their own security, or is this all a big team effort that we're all involved in? Pick a lane. It does feel like we're all involved when half the nation's personal data is leaked every other week.
And this is literally a matter of national security. Is the nation's power grid secure? Maybe? I don't know, do independent organizations verify this? Can I verify this myself by trying to hack the power grid (in a responsible white-hat way)? No, of course not; I would be committing a felony to even try. Enabling powerful organizations to hide their security flaws in their systems, that's the default, they just have to do nothing and then nobody is allowed to research the security of their systems, nobody is allowed to blow the whistle.
We are literally sacrificing national security for the convenience of companies and so they can avoid embarrassment.
pojzon · 22m ago
Did you see Google or facebook or Miceosoft customer databases breached ?
The issue is there is too little repercusions for companies making software in shitty ways.
Each data breach should hurt the company approximately to the size of it.
Equifax breach should have collapsed the company. Fines should be in tens of billions of dollars.
Then under such banhammer software would be built correctly, security would becared about, internal audits would be made (real ones) and people would care.
Currently as things stand. There is ZERO reason to care about security.
slivanes · 6m ago
I’m all for companies to not ignore their responsibility for data management, but I’m concerned that type of punishment could be used as a weapon against competitors. I can imagine that certain classes of useful companies would just not be able to exist. Tricky balance to make companies actually care without crippling insurance.
GlacierFox · 8m ago
Didn't Sharepoint get hacked the other day? :S
msgodel · 57m ago
The internet is really a lot like the ocean, things left unmaintained on it are swallowed by waves and sea life.
We need something like the salvage law.
thatguy0900 · 1h ago
I mean, the problem is people will break things. How do you responsibly hack your local electric grid? What if you accidentally mess with something you don't understand, and knock a neighborhood out? How do we prove you just responsibly hacked into a system full of private information then didn't actually look at a bunch of it?
sunrunner · 1h ago
> How do we prove you just responsibly hacked into a system full of private information then didn't actually look at a bunch of it?
Pinky promise?
valianteffort · 43m ago
> Experience has show we cannot build secure systems
It's an unpopular idea because its bullshit. Building secure systems is trivial and at the skill level of a junior engineer. Most of these "hacks" are not elaborate attacks utilizing esoteric knowledge to discover new vectors. They are the same exploit chains targeting bad programming practices, out of date libraries, etc.
Lousy code monkeys or medicore programmers are the ones introducing vulnerabilities. We all know who they are. We all have to deal with them thanks to some brilliant middle manager figuring out how to cut costs for the org.
darzu · 12m ago
Take a broader view of what "building secure systems" means. It's not just about the code being written by ICs but about the business incentives, tech choices of leadership, the individual ways execs are rewarded, legacy realities, interactions with other companies, and a million other things. Our institutions are a complex result of all of these forces. Taken as a whole, and looking at the empirical evidence of companies and agencies frequently leaking data, the conclusion "we cannot build secure systems" is well founded.
KaiserPro · 30m ago
> Building secure systems is trivial
I'd suggest you try and build a secure system for > 150k employees before you make sweeping statements like that.
tdrz · 29m ago
Sometimes it is the management that doesn't understand anything. In their perspective, security doesn't improve the bottom line.
I worked for an SME that dealt with some sensitive customer data. I mentioned to the CEO that we should invest some time in improving our security. I got back that "what's the big deal, if anyone wants to look they can just look..."
slashdev · 2h ago
All these endless data breaches could be reduced if we fixed the incentives, but that's difficult. We could never stop it, because humans make mistakes, and big groups of humans make lots of mistakes. That doesn't mean we shouldn't try.
It seems to me a parallel path that should be pursued is to make the impact less damaging. Don't assume that things like birth dates, names, addresses, phone numbers, emails, SSNs, etc are private. Shut down the avenues that people use to "steal identities".
I hate the term stealing identity, because it implies the victim made some mistake to allow it to happen. When what really happened is the company was lazy to verify that the person they're doing business with is actually who they say they are. The onus and liability should be on the company involved. If a bank gives a loan to you under my name, it should be their problem, not mine. It would go away practically overnight as a problem if that were changed. Companies would be strict about verifying people, because otherwise they'd lose money. Incentives align.
Identify theft is not the only issue with data leaks / breaches, but it seems one of the more tractable.
DicIfTEx · 2h ago
> I hate the term stealing identity, because it implies the victim made some mistake to allow it to happen. When what really happened is the company was lazy to verify that the person they're doing business with is actually who they say they are. The onus and liability should be on the company involved.
It is really strange that is not already the case.
Buttons840 · 1h ago
"It's really strange that the status-quo favors those with more wealth and power."
afarah1 · 1h ago
The solution already exists: MFA and IdP federation.
One factor you know (data) and the other you posess, or you are (biometrics).
IdP issues both factors, identification is federated to them.
Kind of happens when you are required to supply driver's license, which technically you own and is federated id if checked in government system, but can be easily forged with knowledge factors alone.
Unfortunately banks and governments here use facial recognition for the second factor, which has big privacy concerns, and the tendency I think will be federal government as sole IdP. Non-biometroc factors might have practical difficulties at scale, but fingerprint would be better than facial. It's already taken in most countries and could be easily federated. Not perfect but better than the alternatives imo.
SoftTalker · 1h ago
I'm unconvinced that biometrics are a good approach. You can't change them if a compromise is discovered.
afarah1 · 1h ago
I also don't like it but it seems to be what most institutions are going for.
It's a strong factor if required in person, the problems start when accepting it remotely. But having to go to the bank seems like the past.
eptcyka · 1h ago
So what? My data will still get sold online and then agencies/businesses will take advantage of it to do differential pricing. 2fa does not solve the problem of data leaks.
JumpCrisscross · 1h ago
> these endless data breaches could be reduced if we fixed the incentives, but that's difficult
It’s honestly unclear if the damage from data breaches exceeds the cost of eliminating it. The only case where I see that being clear is in respect of national security.
AlotOfReading · 1h ago
The more important point is that the people who would have to pay to avoid data breaches (companies) are not the ones who suffer when they happen (the public). It's the same problem as industrial pollution.
giantfrog · 2h ago
This will never, ever, ever stop happening until executives start going bankrupt and/or to jail for negligence. Even then it won’t stop, but it would at least decrease in frequency and severity.
SoftTalker · 2h ago
Unless there is willfull negligence (very difficult to prove) or malicious behavior I don't think putting people in jail will help. Most of this stuff happens by accident not by intent.
Financial consequences to the company might be a deterrent, of course then you're dealing with hundreds or thousands of people potentially unemployed because the company was bankrupted by something as simple as a mistake in a firewall somewhere or an employee falling victim to a social engineering trick.
I think the path is along the lines of admitting that cloud, SaaS and other internet-connected information systems cannot be made safe, and dramatically limiting their use.
Or, admitting that a lot of this information should be of no consequence if it is exposed. Imagine a world where knowing my name, SSN, DOB, address, mother's maiden name, and whatever else didn't mean anything.
DanHulton · 1h ago
Imagine using this defence with regards to airline crashes. "The crashes happen by accident not by intent" would be a clearly ludicrous defence, as it ought to be here as well.
If we were serious about preventing these kinds of things from happening, we could.
SoftTalker · 1h ago
If we're OK with regulating SaaS companies (and anyone who connects their information systems to the internet) the way we do the airline industry, that may be an argument.
Bottom line though a good many folks here would loudly resist that kind of oversight on their work and their busineses, and for somewhat valid reasons. Data breaches hardly ever cause hundreds of deaths in a violent fireball.
If the consequences of an airline crash were just some embarassment and some inconvenience for the passengers, they would happen a lot more.
Also people almost never go to jail for airline crashes, even when they cause hundreds of deaths. We investigate them, and maybe issue new regulations, not to punish mistakes, but to try to eliminate the possibilty of them happening again.
eptcyka · 1h ago
At some point, some US department figured that they can practically budget a human life to cost around 10 million dollars - I wonder if the total amount of lives lost in airline incidents would incur the same amount of money lost as all the fraud that takes place after data breaches like these.
fn-mote · 1h ago
> Most of this stuff happens by accident not by intent.
Consider the intent of not hiring enough security staff and supporting them appropriately. It looks a lot like an accident. You could even say it causes accidents.
SoftTalker · 1h ago
Hiring more people does not prevent the chance of mistakes. It may even increase them. I know places that spend lavishly on security (and employee education w/r/t social engineering, etc.) and have still been breached.
AlotOfReading · 51m ago
Google and Apple spend lavishly on security and are probably the most heavily attacked companies in the world, often by nation-state adversaries. Yet as far as I can remember, neither has had a successful breach like this in well over a decade.
Clearly it's possible.
lynx97 · 1h ago
Haha, I still vividly remember how they were trying to make me believe that GDPR is going to a big hammer because it will finally make executives liable for breaches. I silently laughed back then. I am still laughing.
I should probably clarify: There are two types of people that climed that back then. Those trying to gaslight us, and those naiv enough to actually believe the gaslighting. Severe negligence has to be proofen, and that is not easy, and there is a lot of wiggle room in court. Executives being liable for what they did during their term is just not coming, sorry kids.
Good to see the contractually required endpoint protection was working.
SilverElfin · 6m ago
Is there any consequence? I’ve seen now a new practice where companies won’t even tell you what was compromised. For example a big one last year (?) was at the University of Washington. I had family receive vague letters saying some other place called Fred Hutch cancer center got hacked, and for some reason, the patient data of the university’s own hospitals was shared with this other place (even though they aren’t patients of Fred Hutch). Both Fred Hutch and UW refuse to tell individuals what data of theirs was compromised, but just say it can include all personal info including medical records and test results and social security numbers. It’s infuriating to just see a vague letter with free credit monitoring from companies that should be doing more and fined more.
time4tea · 1h ago
Mandatory £1000 fine per record lost. Would be company-terminal for companies with millions of customers - and thats right. Right now it's just cheaper to not care, then send a trite apology email when all the data inevitably gets stolen.
The status quo, nobody gives a crap, with the regulators literally doing nothing, cannot continue. In the UK, the ICO is as effective as Ofwat. (The regulator that was just killed for being pointlessly and dangerously usless)
(Edit: fix autocorrect)
grapescheesee · 1h ago
Mandatory amount paid directly to the customer of record, instead of fractions of a cent on the dollar, in year long class action settlements might help the disenfranchised 'customers'.
sunrunner · 52m ago
> Would be company-terminal
What happens to customers of the affected company in this case? Does this not now pass on a second problem to the people actually affected?
unsupp0rted · 26m ago
Would be national economy terminal too
jmkni · 2h ago
> “On July 16, 2025, a malicious threat actor gained access to a third-party, cloud-based CRM system used by Allianz Life,” referring to a customer relationship management (CRM) database containing information on its customers.
So who the hell was the "third-party, cloud-based CRM system"?
milesskorpen · 2h ago
Does it matter? Wasn't a technical breach of their systems, but instead social engineering.
politelemon · 1h ago
It matters. That's often a generic phrasing used to make it look like it was a partner's fault. But very often it is simply a platform that was managed by and configured by the company itself, which would mean more than just social engineering. Take a look at the language used in other breaches and it's very similarly veiled.
poemxo · 1h ago
If a cloud-based system doesn't support technologies that deter social engineering, it's still a problem. Some login portals to check your credit history don't even support 2FA.
So I think it matters, I think access systems should be designed with a wider set of human behaviors in mind, and there should be technical hurdles to leaking a majority of customers' personal information.
MontagFTB · 2h ago
Depending on the CRM, is this not a HIPAA violation?
marcusb · 1h ago
Why would it be? Is Allianz Life a covered entity? If so, why would it depend on the specific CRM being used?
nothercastle · 2h ago
The punishment for poor data security is so low it’s not worth paying for it in most companies. And of course the government makes it nearly impossible to change your ssn yet still uses it as a means of verifying so almost everyone is exposed by now.
bee_rider · 1h ago
Ignoring the whole pain in the ass this will be for their customers—at what point does this become a tragedy of the commons failure? Actually, I don’t know the case-law on this sort of stuff. If your bank authenticates using credentials that are generally publicly known by black-hats for most people—stuff like your social security number and some random
bits of trivia (mothers maiden name)—shouldn’t they be responsible for any breaches?
Retr0id · 13m ago
Ah! Well. Nevertheless,
urquhartfe · 1h ago
Fundamentally the issue is that companies are just not investing enough in engineering and IT. When you farm out this work to offshore workers on a shoestring budget, the result is utterly predictable.
alephnerd · 1h ago
This isn't an offshore situation though.
I've worked with Allianz's cybersecurity personas previously on EBRs/QBRs, and the issue is they (like a lot of European companies) are basically a confederation of subsidiaries with various independent IT assets and teams, so shadow IT abounds.
They have subsidiaries numbering in the dozens, so there is no way to unify IT norms and standards.
There is an added skills issue as well (most DACH companies I've dealt with have only just started working on building hybrid security posture management - easily a decade behind their American peers), but it is a side effect of the organizational issues.
rr808 · 1h ago
Kinda frustrating the last few months I've had to upload bank statements and payslips to rent a house and also refinance a mortgage. I know all my financial details are out there floating and invevitably get leaked. I should be able to upload somewhere temporary where these docs are checked then safely deleted.
fock · 1h ago
I was on the train when some executive support staff joined my car (train ran late and they were easy to find on the internet ...). They behaved like misogynistic ogres and I can vividly imagine those people laugh about this. 0 regard for other people or their societal responsibility.
sMarsIntruder · 1h ago
Hello KYC
SoftTalker · 2h ago
Yawn. Another day, another breach.
Our industry is pathetic.
Rotundo · 2h ago
This will continue until there are serious repercussions for a company.
SoftTalker · 2h ago
Unclear who is responsible here, Allianz or their third party "cloud-based CRM provider."
But I think that fundamentally, secure cloud-based SaaS is impossible. This stuff needs to be on-prem and airgapped from the internet. That makes some functionality complicated or impossible, but we're seeing that what we have now is not working.
filleokus · 31m ago
Allianz have more than 150k employees with offices in 50+ countries. Not all of them need access to the CRM of course, but I think going back to on-prem is just asking for different kind of trouble.
We don't have any details now, but I wouldn't be surprised if the cloud-based CRM provider didn't have a very technical interesting weakness, but rather that some kind of social engineeringy method was used.
If global companies like this instead had stuff running on-prem all around the world the likelihood of more technical vulnerabilities seems MORE likely to me.
(Air gapping is of course possible, but in my experience, outside of the most security sensitive areas the downsides are simply not acceptable. Or the "air gapping" is just the old "hard shell" / permitter based access-model...)
nothercastle · 2h ago
Buck stops at Allianz but the 3rd party might share some of the minuscule cost of bullshit identity protection services
BinaryIgor · 2h ago
There are inherent tradeoffs when using centralized solutions like that; unless the company does not use any third-party software and is paranoid about its security - these incidents and breaches will occur, unfortunately.
BinaryIgor · 2h ago
Well, to some degree it will always happen, no matter how careful the companies are.
Unless it's e2e encrypted (like in Proton Mail or Proton Drive), these incidents will occur. Manage your risk accordingly.
SoftTalker · 2h ago
At some point it has to be unecrypted to be useful. That's where the vulnerability is.
BinaryIgor · 2h ago
Depends whether and to what extend your service provider needs it - for Proton, it's always client only decrypted
mvdtnz · 1h ago
There are very serious drawbacks to e2e encryption that can't be ignored for all use cases. Searching and indexing, reporting, analytics and performance are aspects of a program which become difficult or impossible if all of your data is encrypted everywhere other than the client. It's easy to just wave your hands and say "all data should be e2e encrypted" but it's not that straightforward.
BinaryIgor · 11m ago
Unfortunately, you're right; I guess there is no easy, handle-it-all answer; it all depends on the specifics of a given system
Security researchers, white-hat hackers, and even grey-hat hackers should have strong legal protections so long as they report any security vulnerabilities that they find.
The bad guys are allowed to constantly scan and probe for security vulnerabilities, and there is no system to stop them, but if some good guys try to do the same they are charged with serious felony crimes.
Experience has show we cannot build secure systems. It may be an embarrassing fact, but many, if not all, of our largest companies and organizations are probably completely incapable of building secure systems. I think we try to avoid this fact by not allowing red-team security researches to be on the lookout.
It's funny how everything has worked out for the benefit of companies and powerful organizations. They say "no, you can't test the security of our systems, we are responsible for our own security, you cannot test our security without our permission, and also, if we ever leak data, we aren't responsible".
So, in the end, these powerful organizations are both responsible for their own system security, and yet they also are not responsible, depending on whichever is more convenient at the time. Again, it's funny how it works out that way.
Are companies responsible for their own security, or is this all a big team effort that we're all involved in? Pick a lane. It does feel like we're all involved when half the nation's personal data is leaked every other week.
And this is literally a matter of national security. Is the nation's power grid secure? Maybe? I don't know, do independent organizations verify this? Can I verify this myself by trying to hack the power grid (in a responsible white-hat way)? No, of course not; I would be committing a felony to even try. Enabling powerful organizations to hide their security flaws in their systems, that's the default, they just have to do nothing and then nobody is allowed to research the security of their systems, nobody is allowed to blow the whistle.
We are literally sacrificing national security for the convenience of companies and so they can avoid embarrassment.
The issue is there is too little repercusions for companies making software in shitty ways.
Each data breach should hurt the company approximately to the size of it.
Equifax breach should have collapsed the company. Fines should be in tens of billions of dollars.
Then under such banhammer software would be built correctly, security would becared about, internal audits would be made (real ones) and people would care.
Currently as things stand. There is ZERO reason to care about security.
We need something like the salvage law.
Pinky promise?
It's an unpopular idea because its bullshit. Building secure systems is trivial and at the skill level of a junior engineer. Most of these "hacks" are not elaborate attacks utilizing esoteric knowledge to discover new vectors. They are the same exploit chains targeting bad programming practices, out of date libraries, etc.
Lousy code monkeys or medicore programmers are the ones introducing vulnerabilities. We all know who they are. We all have to deal with them thanks to some brilliant middle manager figuring out how to cut costs for the org.
I'd suggest you try and build a secure system for > 150k employees before you make sweeping statements like that.
I worked for an SME that dealt with some sensitive customer data. I mentioned to the CEO that we should invest some time in improving our security. I got back that "what's the big deal, if anyone wants to look they can just look..."
It seems to me a parallel path that should be pursued is to make the impact less damaging. Don't assume that things like birth dates, names, addresses, phone numbers, emails, SSNs, etc are private. Shut down the avenues that people use to "steal identities".
I hate the term stealing identity, because it implies the victim made some mistake to allow it to happen. When what really happened is the company was lazy to verify that the person they're doing business with is actually who they say they are. The onus and liability should be on the company involved. If a bank gives a loan to you under my name, it should be their problem, not mine. It would go away practically overnight as a problem if that were changed. Companies would be strict about verifying people, because otherwise they'd lose money. Incentives align.
Identify theft is not the only issue with data leaks / breaches, but it seems one of the more tractable.
You may enjoy this sketch: https://www.youtube.com/watch?v=CS9ptA3Ya9E
One factor you know (data) and the other you posess, or you are (biometrics).
IdP issues both factors, identification is federated to them.
Kind of happens when you are required to supply driver's license, which technically you own and is federated id if checked in government system, but can be easily forged with knowledge factors alone.
Unfortunately banks and governments here use facial recognition for the second factor, which has big privacy concerns, and the tendency I think will be federal government as sole IdP. Non-biometroc factors might have practical difficulties at scale, but fingerprint would be better than facial. It's already taken in most countries and could be easily federated. Not perfect but better than the alternatives imo.
It's a strong factor if required in person, the problems start when accepting it remotely. But having to go to the bank seems like the past.
It’s honestly unclear if the damage from data breaches exceeds the cost of eliminating it. The only case where I see that being clear is in respect of national security.
Financial consequences to the company might be a deterrent, of course then you're dealing with hundreds or thousands of people potentially unemployed because the company was bankrupted by something as simple as a mistake in a firewall somewhere or an employee falling victim to a social engineering trick.
I think the path is along the lines of admitting that cloud, SaaS and other internet-connected information systems cannot be made safe, and dramatically limiting their use.
Or, admitting that a lot of this information should be of no consequence if it is exposed. Imagine a world where knowing my name, SSN, DOB, address, mother's maiden name, and whatever else didn't mean anything.
If we were serious about preventing these kinds of things from happening, we could.
Bottom line though a good many folks here would loudly resist that kind of oversight on their work and their busineses, and for somewhat valid reasons. Data breaches hardly ever cause hundreds of deaths in a violent fireball.
If the consequences of an airline crash were just some embarassment and some inconvenience for the passengers, they would happen a lot more.
Also people almost never go to jail for airline crashes, even when they cause hundreds of deaths. We investigate them, and maybe issue new regulations, not to punish mistakes, but to try to eliminate the possibilty of them happening again.
Consider the intent of not hiring enough security staff and supporting them appropriately. It looks a lot like an accident. You could even say it causes accidents.
Clearly it's possible.
I should probably clarify: There are two types of people that climed that back then. Those trying to gaslight us, and those naiv enough to actually believe the gaslighting. Severe negligence has to be proofen, and that is not easy, and there is a lot of wiggle room in court. Executives being liable for what they did during their term is just not coming, sorry kids.
The status quo, nobody gives a crap, with the regulators literally doing nothing, cannot continue. In the UK, the ICO is as effective as Ofwat. (The regulator that was just killed for being pointlessly and dangerously usless)
(Edit: fix autocorrect)
What happens to customers of the affected company in this case? Does this not now pass on a second problem to the people actually affected?
So who the hell was the "third-party, cloud-based CRM system"?
So I think it matters, I think access systems should be designed with a wider set of human behaviors in mind, and there should be technical hurdles to leaking a majority of customers' personal information.
I've worked with Allianz's cybersecurity personas previously on EBRs/QBRs, and the issue is they (like a lot of European companies) are basically a confederation of subsidiaries with various independent IT assets and teams, so shadow IT abounds.
They have subsidiaries numbering in the dozens, so there is no way to unify IT norms and standards.
There is an added skills issue as well (most DACH companies I've dealt with have only just started working on building hybrid security posture management - easily a decade behind their American peers), but it is a side effect of the organizational issues.
Our industry is pathetic.
But I think that fundamentally, secure cloud-based SaaS is impossible. This stuff needs to be on-prem and airgapped from the internet. That makes some functionality complicated or impossible, but we're seeing that what we have now is not working.
We don't have any details now, but I wouldn't be surprised if the cloud-based CRM provider didn't have a very technical interesting weakness, but rather that some kind of social engineeringy method was used.
If global companies like this instead had stuff running on-prem all around the world the likelihood of more technical vulnerabilities seems MORE likely to me.
(Air gapping is of course possible, but in my experience, outside of the most security sensitive areas the downsides are simply not acceptable. Or the "air gapping" is just the old "hard shell" / permitter based access-model...)
Unless it's e2e encrypted (like in Proton Mail or Proton Drive), these incidents will occur. Manage your risk accordingly.