Hacker News new | past | comments | ask | show | jobs | submit login

“In the private sector” covers a lot of ground and I have extreme skepticism about your faith in the process unfolding that way: ask yourself how many breaches you’ve been part of and whether anything more than a press release happened along with waiting for the news to die down. How many customers did Experian lose?

(In the enterprise software world, I can tell you how epic failure to perform on an 8+ figure contract unfolds: the sales guy takes a VP out to the next game so they can discuss it over drinks in the corporate box and nothing will change)

I don't have _much_ experience with this but when I worked for a UK based e-commerce SaaS provider (which was focused on image, so, ymmv) we completely buried a contractor for using sub-contractors which didn't follow our data security standards (which the contractor knew about).

a breach wasn't found, but that contracting company eventually became bankrupt under the weight of our negative press and litigation. I know that this is essentially bullying but it was used as an example to other contractors who might try something like that.

Incidentally the SaaS provider no longer exists, gobbled up by netsuite (which was, itself, acquired by Oracle).

There's pretty strong selection bias in information about data security standards. The companies that have strong ones will go out of their way to publicize that fact, but companies with weak or nonexistent ones will never admit that fact to the general public or news media, and the only thing you may hear about it is when disenchanted employees make anonymous posts on web forums.

If a company with weak data-protection standards wins out over a company with strong ones, it's never because of their lack of data-protection standards. Rather, it'll be because all the other features, pricing, marketing, etc. they can do that's the opportunity cost of decent security. So as far as the information available to laypeople is concerned, most companies do a decent job with security and it's just a few bad apples that happen to be gigantic like Equifax, Facebook, Target, Yahoo, Anthem, and the U.S. government that are screwing things up.

(FWIW, at Google we took security very seriously and implemented some truly heroic measures to keep your data safe.)

> How many customers did Experian lose?

Experian didn't lose any customer data, though. They only lost data on their products. Their actual customers had no reason to stop paying for their services.

It was Equifax not Experian.

It think it's telling that, in this instance, it really doesn't matter. It could have been Experian, with the wave of a butterfly's wings in Himalayas, it was Experian and nothing changes in that alternative universe.

Some of these https://krebsonsecurity.com/tag/experian-breach/ look like Experian is leaking like a sieve, or am I missing something?

Experian makes its money selling credit checks to banks and other businesses. You're not their customer, you're their product.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact