(no title)

> Placing all of the blame on an individual removes the opportunity to improve things.

It seems to me that there's another option. Describe the problem thusly:

> A Lyft employee grabbed our data storage access keys from Github. He, or someone else then used these keys to grab PII that Uber was legally required to safeguard. Uber management and/or legal actively worked to cover all of this up and mislead the FTC about the nature and size of the breach.

>

> Given these facts, what processes and procedures can we change or create to ensure that the PII we're charged with safeguarding remains safe and guarded, that any threat to or breach of said information is detected as soon as is reasonably possible, and that any attempts of management and/or legal to cover up any such incidents are detected and reported to the appropriate authorities?

But the bug bounty policy was very clear on all of this and this extortionist never concealed his intentions. And all this text can come up with is "what if we loop in even more people". Indeed this description made it very clear that the existing processes were intentionally subverted; what can more processes do for avoiding that when it happens by decision of the CSO and CEO?