> "Similarly, Uber argued that the industry at large had become more adept since 2014 at protecting private data in the cloud, and that Uber should not be judged for “what a company did then (back when the company was much smaller and the technology at issue was evolving) according to the standards that the agency thinks are appropriate now (given the current sophistication of the company and current industry best practices).” Uber made these arguments via letter in April 2017, approximately five months after the 2016 Breach."
I've been hearing this argument for decades, and every time it's been earnest but transparent blame-shifting. "The industry didn't understand security risks back then." "No one could have predicted this." The risks were well known back then by anyone who cared about risks.
Companies don't give a shit about security until it's too late. Security is a complex beast and I have yet to meet a developer who understands it top to bottom (nor should they but I would expect even juniors to know they should not store creds in the git repo). It's an increasing specialist role that startups rarely hire for because they're focusing on survival and growth so it's to be expected this story will repeat ad nausea.
I've been hearing this argument for decades, and every time it's been earnest but transparent blame-shifting. "The industry didn't understand security risks back then." "No one could have predicted this." The risks were well known back then by anyone who cared about risks.