There has to be a better way than just adding another deterrent to starting a company. Could there be an industry standard for storage security? Certification (a known hurdle) is better than "don't fuck up or we'll fine you to death".

Regulate software development. Other industries already do this.

You could: - make Software Engineer a protected title that requires formal engineering education and mentorship as well as membership to your country's professional engineering body (Canada already does this) - make collecting and storing PII illegal unless done by a certified Software Engineer - add legal responsibility to certified Software Engineers. If a beach like this happens they lose their license or go to jail. And you easily know who is responsible for it because it's the PEng's name on the project - magically, nobody wants to collect PII insecurely anymore or hire vibe coders or give idiots access to push insecure stuff - bonus: being a certified Software Engineer now boosts your salary by 5x and the only people that will do it actually know WTF they are doing instead of cowboys, and that company will never hire a cowboy because of liability. The entire Internet is now more secure, more profitable for professionals, and dumb AI junk goes in the trash

For writing lists with one item per line, Use two line breaks on HN to start a new line

Like this

Canada does this but it is barely enforced.

Many non-certified people call themselves "software engineers" with no consequence.

I think fines are very reasonable. If you can’t safely do the thing, you should be punished for doing it. If you can’t safely safely do the thing then there is no issue.

Certification is essentially "don't fuck up or we'll fine you to death" with extra steps. Especially because it mostly comes down to the company self-verifying (auditors mostly just verify you are following whatever you say you are following, not that its a good idea).

Its not like anyone intentionally posts their entire DB to the internet.

Those extra steps help insult from penalties and lawsuits in a lot of cases.

Professional Engineer (PE) certification for cyber security professionals would help.

Without personal and professional consequences, the default 1 year of credit monitoring for weak security is just the cost of doing business.

How would that help?

By all accounts this app has no security professionals involved with it.

Its not like there was some incompetent cyber security expert saying its ok to skip ACLs in firebase.

This is the only way to deter this. Negligence and incompetence needs to cost companies big money, business-ruining amounts of money, or this is just going to keep happening.

the problem is what are the damages? how much are those damages?

My SSN / private information has been leaked 10+ now. I had identify fraud once, resulting in ~8 hours of phone calls to various banks resulting in everything being removed.

What are my damages?

I would suggest that damages should be punative, not to make the victims whole. So i dont think it matters.

Punitive damages are no-go in Europe given they would mostly result in money transfers from the ruling families to common people.

Have you seen the GDPR? Its basically the definition of punative damages.

> Make company liable for damages when breached.

This won't be enough, you have to make PEOPLE liable for breach.

Making a corporation being liable is useless, it's a legal Person and it can simply declare bankruptcy and move on.

I agree, but relying on lawsuits is far too slow and costly . We can reduce the latency of discovery and resolution by adding software protocols.

Having the threat of lawsuits is not really about the actual lawsuit, its about scaring people into being more careful. If you actually get to the lawsuit stage, the strategy has failed.

> We can reduce the latency of discovery and resolution by adding software protocols.

Can we? What does this even mean?

[Edit: i guess you mean the things in your parent comment about requiring including some sort of canary token in the DB. I'm skeptical about that as it assumes certain db structure and is difficult to verify compliance.

More importantly i don't really see how it would have stopped this specific situation. It seems like the leak was published to 4chan pretty immediately. More generally how do you discover if the token is leaked, in general? Its not like the hackers are going to self-report.]

The signatures would appear in the drop . A primitive version would be file meta data or jfif. Even the images themselves or steganography could be used

I guess, but it seems a bit like a solution that only works for this specific dump - most db breaches don't have photos in them.

My bigger concern though is how you translate that into discovering such breaches. Are you just googling for your token once a day? This breach was fairly public but lots of breaches are either sold or shared privately. By the time its public enough to show up in a google search usually everyone already knows the who and what of the breach. I think it would be unusual for the contents of the breach to be publicly shared without identifying where the contents came from.

dark web scanning is common. the developers would be notified when those signatures appear in dark web indexes .

jfif is just an example. any file format or metadata could be used as a signature depending on the storage type.

There is no indication that this particular breach was ever on the "dark web" before widely being discovered.

Yes dark web scanners are a thing, but just because something exists does not mean it would work for a specific situation. I'm doubtful they would work most of the time.

That's a reactive measure. Certainly, it's worth pursuing. Though like the notion that you can't protect people from being murdered if you only focus on arresting murderers, there is a need for a preventative solution as well.

Maybe the idiot that published this didn't even form an llc, "waste of 200$"

GDPR makes company liable for damages when breached.

That is why Tea did not operate in Europe.