Just a random question: Is there anything that gives companies incentive to prevent such hacks? It seems that there is no consequences at all, except for some loss of reputation in tech community. Is there a way to put legal pressure on tightening up security?
You are looking at necessity products built by large corporations whose products are usually regarded as the best of breed in the market.
If you are a designer for instance, you'll most likely come to depend on Adobe Photoshop. That means at some point you've created an account. Adobe got breached and your data got leaked, you'll likely whine a little about it online but unless you are willing to:
- shift your work and relearn a new tool than Photoshop
- navigate your way around closing your account (with the assumption that your data is actually deleted after account closure) which is rather hard in most cases, no one likes losing users.
Then you'll likely just suck it up, do what you can and hope for the best.
On the other hand, you got small time (but growing - not web-scale yet-) services/products that can't really afford losing a large number of users. Those would worry most about security. Ironically, they'd stay off the grid for long enough and wont become attack targets until they make it big.
But that's just really the security industry, no system is 100% secure. And you never know if you've tightened your security enough until someone drills a hole. Then you patch it.
Any self respecting corporate will have a security auditing policy. The so called white-hat hackers or pen-testers. Good companies will run security audits every now and then in hope to discover new security holes introduced by software updates, system policy changes...etc.
As for legal pressure, it depends on what we are talking about. If you are a payment processing company then any data breach is a violation of your PCI compliance, which leads to a lot of bad PR and legal consequences.
If Facebook got breached and data was exposed, I doubt there is anything in the law that reacts to such issue. Unless someone sues Facebook for damages, then that's a whole different ball game.
The incentives are there for any business of all sizes. Legally? It depends. It's those schmucks that screw us all, plaintext passwords and shit.
That's pretty much country dependent, local legislation on data protection varies. (And even then AFAIK is limited to sensitive data, such as race/religion/banking, not the password to some website...)
In the European Union we have the Data Protection Directive, which means that organisations that store personal data are legally required to protect that data.
I often wonder, when there is a massive password breach if anyone outside the tech world even really knows about it, even if they are affected by the breach.
I mean most people don't really understand about web security or computers right? So if their email gets "hacked" they think "hackers" magically get access to their computer/email/etc. and Adobe, etc. isn't at fault.
