Why is the person doing the deleting so low, relatively speaking, in your ranking of people's responsibility for them doing the deleting?
Also, do you think that this person or persons would refrain from deleting the data if they had the opportunity, but it qualified as a "good idea" to keep online? I.e. they might review, say, medical records, spend some time thinking to themselves whether it was 'necessary' to be online, and then decide to delete or not delete depending on their judgment?
For me, it's because the odds of this person showing up quickly approach 1 as time approaches infinity, and that person's effect would be nil if it weren't for necessary causes 1) through 19).
Blaming the person that hacked you is like blaming the individual rock that sinks your boat when you navigate too close to a rocky shore. The rock may have done 100% of the damage to your boat, but if it hadn't been that rock, it would have been another one.
I was hacked using what at the time was novel (but is now a known exploit): someone claiming to be me transferred my SIM card to a new phone, over the phone, which then enabled them to defeat my 2FA (which of course I've now removed ALL cellphone recovery from).
Are you saying that it's my fault for either picking an insecure provider (T-Mobile, who I absolutely bitched out and told them to put a note on my account to not permit any SIM transfer without me physically being in a store under a camera), or for not staying abreast of the very latest in social-engineering exploits that assholes were using to try to steal bitcoins, and manage my security accordingly?
Rocks don't have moral agency. And the comment they replied to I think was clearly about the blameworthiness of the bad actor.
So I guess problem I'm having is with the equivocation between cause-and-effect responsibility and moral responsibility, which I think was exploited here to indulge in a fun little switcheroo by talking about something they didn't mean.
Mostly because it's a very effective way to ensure things get fixed, while gaining the "attacker" nothing. It's harmful, but so is finding 4000 insecure databases, sending 4000 notification emails, and having 3950 of them ignored (and that approach is probably more risky, so far as inviting legal trouble and expenses). It also neatly removes anyone else's ability to take the data.
1) the cultural and economic forces driving everything online way before that’s anything like a good idea,
2) companies storing more than they need to,
3) the people who left it unsecured (bigco, tech startups, and anything very sensitive),
4) the people stealing data,
5) the people who left it unsecured (Smaller shops that’ve been made to feel they must be online),
[large gap]
20) someone who simply deletes all the insecure data (assuming they didn’t also steal all of it)