Immediately lock-down, then communicate to all affected before doing a root cause analysis and taking steps to ensure it doesn't happen again.
Dropbox faltered on the communication, and they made claims about their security which hasn't been backed up by practise.
They stated that they would communicate to those whose accounts were 'compromised', yet those 'affected' by this was literally every user they have. They should've communicated to all, as that is who has been affected.
They also state and sell based on security, and do give you the feeling that you are able to trust them, then when you do you find that they leave the door open. So their claims of security haven't been backed up by the practise of it.
Locking down was the right thing.
Communication was dire.
And there hasn't been a follow-up to demonstrate clearly that lessons were learned, and that it cannot happen again. Hell, we haven't even heard if there are now unit tests over this piece of code.
Just act ethically, clearly, and don't be afraid to have egg on your own face by coming clean. But when you do this, come fully clean and be transparent. Don't err, or dodge the details... just come clean, put your hands in the air and admit you screwed up, and then say why you've learned and why it really truly is not repeatable.
And if you've already had a security flaw or two preceding this... then stop what the hell you're doing, stop working on new features, and go back and check every line of code and look for every attack vector or flaw in your processes and put them right.
They sell on securing our data... I want them to be paranoid on my behalf.
I can't help but feel like most of what you're saying doesn't really matter with respect to getting sued or not.
Does it really matter whether advertise that they are secure or not? If security wasn't listed all of their site, would that have mattered?
Does it matter whether they wrote a lessons learned blog post?
And as far as communication goes, Drew did respond and I thought the response was pretty good [1]. It was not immediate, nor should it have been. They had to determine the extent of the breach, consult with their lawyers, devise an appropriate strategy, etc.
It's not as simple as immediately notifying every account holder. That's what... 30 million people? Less than 100 accounts were actually exploited--why create mass hysteria when you can simply notify the small batch that were actually impacted? As bad as this situation is for them, awareness is mostly confined to the tech elite which in the grand scheme of things is a pretty good outcome.
Dropbox faltered on the communication, and they made claims about their security which hasn't been backed up by practise.
They stated that they would communicate to those whose accounts were 'compromised', yet those 'affected' by this was literally every user they have. They should've communicated to all, as that is who has been affected.
They also state and sell based on security, and do give you the feeling that you are able to trust them, then when you do you find that they leave the door open. So their claims of security haven't been backed up by the practise of it.
Locking down was the right thing.
Communication was dire.
And there hasn't been a follow-up to demonstrate clearly that lessons were learned, and that it cannot happen again. Hell, we haven't even heard if there are now unit tests over this piece of code.
Just act ethically, clearly, and don't be afraid to have egg on your own face by coming clean. But when you do this, come fully clean and be transparent. Don't err, or dodge the details... just come clean, put your hands in the air and admit you screwed up, and then say why you've learned and why it really truly is not repeatable.
And if you've already had a security flaw or two preceding this... then stop what the hell you're doing, stop working on new features, and go back and check every line of code and look for every attack vector or flaw in your processes and put them right.
They sell on securing our data... I want them to be paranoid on my behalf.