It most certainly was. You have someone outside your organization who accessed the data, and you know about it. Here's what you just wrote about the person who accessed this endpoint:
> - The author was ultimately banned from the community not for their opinions on this matter, but because of a long streak of unrelated conduct issues that culminated in a spree of saying horribly abusive things to multiple other members of the community.
> — They have been pursuing a grudge against the organization ever since. They are not a reliable narrator, this post is a fantasy version of events that casts them as a martyred hero.
Someone who has been acting maliciously against your organization accessed that data. And you think it's fine? They're a teenager. An angry teenager, who is acting out. You honestly believe you can trust they didn't distribute this data or tell anyone else about the problem before you found out about it?
When I was a teenager, someone in my year level gained access to a lot of personal data about a bunch of people in our year level. This was a smart individual who at least somewhat understood the gravity of the situation. But they were also a kid, of course they distributed some of the data — bragging rights and what not.
What about the section titled "the surveillance infrastructure (orpheus engine)" where the teenager claims children's data was intentionally being sent out to third parties, specifically to profile kids? What's that all about?
Look, no-one read this article and thought "Wow, this is well written article by a super mature well-adjusted individual. I'm taking this as gospel." The article is clearly written by an angry teenager. I feel far more invested in this now that I've seen your responses. The way you're handling this, and yourself, is just downright absurd. Stop.
I never said anything was fine. I said it was a serious vuln, and we took it seriously.
We patched the vulnerability, quickly. We addressed it with the engineer and made clear that this is no joke. We have extensive refactoring happening within our infrastructure to move to a model where this information is handled as much as possible through secure, audited, centralized systems. Is there something else we should be doing?
The crux of the question here was about whether GDPR obligates us to email all 5,000 people signed up for this program about this vulnerability. The two lawyers we have consulted on this have both said no. One of them specifically specializes in privacy compliance. It's not a complicated legal question, the answer is just no.
Benjamin_Dobell|3 months ago
> - The author was ultimately banned from the community not for their opinions on this matter, but because of a long streak of unrelated conduct issues that culminated in a spree of saying horribly abusive things to multiple other members of the community.
> — They have been pursuing a grudge against the organization ever since. They are not a reliable narrator, this post is a fantasy version of events that casts them as a martyred hero.
Someone who has been acting maliciously against your organization accessed that data. And you think it's fine? They're a teenager. An angry teenager, who is acting out. You honestly believe you can trust they didn't distribute this data or tell anyone else about the problem before you found out about it?
When I was a teenager, someone in my year level gained access to a lot of personal data about a bunch of people in our year level. This was a smart individual who at least somewhat understood the gravity of the situation. But they were also a kid, of course they distributed some of the data — bragging rights and what not.
What about the section titled "the surveillance infrastructure (orpheus engine)" where the teenager claims children's data was intentionally being sent out to third parties, specifically to profile kids? What's that all about?
Look, no-one read this article and thought "Wow, this is well written article by a super mature well-adjusted individual. I'm taking this as gospel." The article is clearly written by an angry teenager. I feel far more invested in this now that I've seen your responses. The way you're handling this, and yourself, is just downright absurd. Stop.
VEBee|3 months ago
SigmaEpsilonChi|3 months ago
We patched the vulnerability, quickly. We addressed it with the engineer and made clear that this is no joke. We have extensive refactoring happening within our infrastructure to move to a model where this information is handled as much as possible through secure, audited, centralized systems. Is there something else we should be doing?
The crux of the question here was about whether GDPR obligates us to email all 5,000 people signed up for this program about this vulnerability. The two lawyers we have consulted on this have both said no. One of them specifically specializes in privacy compliance. It's not a complicated legal question, the answer is just no.
dapoyo|3 months ago
SigmaEpsilonChi|3 months ago