(no title)

You don't need to break security to spray the side of a store. You do need to break security to deface a website.

Analogies are analogies, they're unnecessary in this case (nowadays). Because we got law to punish people who deface a website, and the law stands on its own.

Its akin to people who call 'copyright infringement' 'theft'. Its not the same, its a different mechanic, damages are different, and... different laws apply. That doesn't mean one's right or wrong or anything like it; like I said: the laws stand on their own, respectively.

To me this situation seems more like a store owner forgetting to lock the door the somebody noticed, came inside put up a sign on the front window saying that the store owner is too stupid to lock his own door and then calling the owner to tell him about this.

I think "deserves" is a better word than "deserved".

The punishment for grossly negligent handling of PII should not be a childish website defacement, and should not be from enforced by vigilantes. Obviously.

The punishment for mishandling PII like this should be a painful fine, a rigorous externally imposed technical audit, and possibly civil/criminal implications for senior leadership.

(If the last one sounds unreasonable, consider Equifax. Many executives in charge of security orgs do not have technical degrees and, more importantly, have not booked any time in the trenches. Being self-taught and having non-engineering degrees can be okay, but combining that with no in-the-trenches experience is inexcusable. Assignment security to corporate politicians who don't understand the work that they are managing should be criminally negligent.)

It's more like a store owner who left all his customer's names, addresses, credit cards, purchasing history and everything else just lying out there in the open. Public embarrassment is too light a punishment for the inevitable day when someone else comes and takes it. The real victims are all the people harmed by their negligence.

they don't deserve to get graffiti, but it is expected

they should be punished by legal means (legal proceedings or lawsuits) and by reputational damage

So the store owner can just leave all his customers’ credit card information lying around and ignore PCI compliance etc. because anyone who would possibly use it for nefarious purposes is a criminal?

How would you prevent such negligence

Nope. That can come after responsible disclosure. Did they try the responsible path first? Looks like they notified and then kept going for another 10 days

> often with something like a corporate entity that exists in cyprus, panama or even weirder places.

Wait? How is Cyprus supposed to be a weird place to incorporate?

I suppose Delaware is weird too? It’s not like anyone is actually based there.

>looking at this in terms of the risk that a VPN provider presents to an ISP's reputation, IP space

None, because you obviously make the VPN provider bring their own IPs. And even if you don’t? Just block email and the IP reputation issue is solved.

>attracting unusual volumes and numbers of DDoS, etc..

This has calmed down so so much over the past years.

> fail to do that at your own risk.

Not much risk at all as long as you make them prepay their bills. Nobody is getting depeered because they offered colo to a sketchy VPN provider.

Literally nothing can happen, the big ISPs do not give a single fuck about this.

(I don’t have any involvement with VPN nonsense, but do have extensive experience with “bulletproof” hosting)

Who are reputable in the space?

They clearly said they modified careers.sega.co.uk and posted a screenshot of the careers site displaying vpnoverview's logo (https://vpnoverview.com/wp-content/uploads/screenshot-about-...)

> Sega deserved to be punished, but these VPN twits have clearly committed a crime

I think the rest of the sentence makes it clear the author didn't intend to support defacement as punishment.