> We are sorry. We regret that this incident has caused worry for our partners and people. We have begun the process to identify and contact those impacted and are working closely with law enforcement and the relevant regulators. We are fully committed to maintaining your trust.
In terms of "downplaying" it seems like they are pretty concrete in sharing the blast radius. If less than 25% of users were affected, how else should they phrase this? They do say that this was data used for onboarding merchants that was on a system that was used in the past and is no longer used.
I am as annoyed by companies sugar coating responses, but here the response sounds refreshingly concrete and more genuine than most.
"A quarter of user accounters were affected. We have calculated that to be 7% of our customers."
> Like, how many other deprecated third party systems were identified handling a significant portion of your customer data after this hack?
The problem with that is that you'll never know. Because you'd have to audit each and every service provider and I think only Ebay does that. And they're not exactly a paragon of virtue either.
> Who declined to allocate the necessary budget to keep systems updated?
See: prevention paradox. Until this sinks in it will happen over and over again.
> But mere words like these are absolutely meaningless in today's world. People are right to dismiss them.
Again, yes, but: they are at least attempting to use the right words. Now they need to follow them up with the right actions.
The problem can not be helped by research research against cybercrime. Proper practices for protections are well established and known, they just need to be implemented.
The amount donated should've rather be invested into better protections / hiring a person responsible in the company.
(Context: The hack happened on a not properly decomissioned legacy system.)
Yes there are negative externalities in funding ransomware operations, not paying is still much more likely to hurt your customers than paying.
The point here is that this is an expensive virtue signal. Although, it would be more effective if we knew how expensive it was.
- timely response
- initial disclosure by company and not third party
- actual expression of shame and remorse
- a decent explanation of target/scope
i could imagine being cyclical about the statement, but look at other companies who have gotten breached in the past. very few of them do well on all points
From customer perspective “in an effort to reduce the likelihood of this data becoming widely available, we’ve paid the ransom” is probably better, even if some people will not like it.
Also to really be transparent it’d be good to post a detailed postmortem along with audit results detailing other problems they (most likely) discovered.
And selling the data from companies like Checkout.com is generally still worth a decent amount, even if nowhere close to the bigger ransom payments.
junaru•48m ago
Can this be tax deducted? Because this it sounds like gaslighting to change the narrative.
worthless-trash•44m ago
junaru•25m ago
laylower•16m ago
ritzaco•15m ago
This is definitely not the case. If you make $100 profit and you would have had to pay 20% corporate tax, then you pay $20 in taxes, you'd be left with $80 to buy chocolate or whatever you want.
If you donate $20 and deduct it from your profit, then your profit is now calculated at $80. So you pay $16 in taxes. So you saved $4 but spent $20, so you're $16 dollars down and now you only have $64 for chocolate, so not 'essentially nothing'.
retsibsi•11m ago
Unless you're positing some very specific, unusual situation, this isn't how tax deductibility works. The dollar amount of a tax deductible donation is subtracted from your taxable income, not from your tax bill. So you're getting a discount on the donation equal to your marginal tax rate.
Cyclone_•40m ago