Until there is some kind of law in place that makes companies financially responsible for this kind of blunder, it will proliferate. In the current state of affairs it's simply not economically justified to implement proper security.
I have a feeling it's a subtly different problem: the people they've contracted to build this just don't understand security. They've evidently attempted to secure this, just in completely the wrong manner!
If the company providing the service were financially liable for these blunders, they would be careful to select contractors that are capable of meeting the security needs.
As it is now, there is no financial incentive to select the "security aware" contractor, and the "non-aware" one is so much cheaper...
Here's an interesting thought: what with the money there is to be made in security these days programmers that actually know everything there is to know about security will leave applications development.
There is a good chance that the lure of security consultancy $ is resulting in a degradation of the quality of the applications.
There's not nearly as much money in security as most security consultants would like you to believe. It's in their best interest for most people to believe there's a huge amount of money waiting for you if you switch to security.
Unless you're someone with specialized experience (crypto), you as a pentester are worth around $100k/yr. That's excellent money, but it's not the massive margin that would drive people away from webdev.
Are you saying developers in general are subconsciously making low security products to raise the $ in security jobs globally, because they might some day switch career?
No, they're saying that if the money is in security, developers that know about security will go to security, and whoever remains as a developer will not be good at security.
> Until there is some kind of law in place that makes companies financially responsible for this kind of blunder, it will proliferate.
It will still be out there. For example, in a startup that's trying to get off the ground, going bankrupt because of security issues isn't that much different than going bankrupt because you failed to gain traction. It will still be put off to "later."
That said, with significant financial penalties there will be a point where the startup assesses the cost of security to be worth it (vs. now where there is no downside other than bad PR).
There are extensive laws in place that protect the personal information of patients and students. If a hospital had this same issue, then it would be fined and depending on the state, it would have to inform all of it's users that it may have leaked personal information. Similarly, educational instituons will not share your educational record with your parents no matter how much they beg unless you're a minor.
It's not a stretch that there should be laws that affect all companies that collect data on their users. I hope it happens soon! These companies should be paying quite a bit in fines for these mistakes, not just a few thousand for a bug bounty. Otherwise our personal information will most likely leak and be all over the web.
