You are right, and the company is definitely to blame. But, compared to how usually other breach happens, I don’t think this company was that much negligient - I mean, their only mistake was as far as I know that they did not force the users to use MFA. A mistake, sure, but not as grave as we usually see in data breaches.
My point was mostly that IMO we should in this case focus more on the users, because they are also at fault, but more importantly I think it’s a pretty impactful story - “few thousand people reuse passwords, so they caused millions of users data to be leaked” is a headline that teaches a lesson in security awarness, and I think would be better to focus on that, instead of on “A company didn’t force users to use MFA”, which is only framed as “company has been breached and blames users”. That will not teach anyone anything, unfortunately.
I’m not saying that the company shouldn’t also be blamed, because they did purposefully choose to prefer user experience and conversion rate (because bad UX hurts sales, as you’ve mentioned) instead of better security practices, I’m just trying to figure out how to get at least something good out of this incident - and “company blames users for them getting breached” isn’t going to teach anyone anything.
However, something good did come up out of it, at least for me - I’ve realized that it never occured to us to put “MFA is not enforced” into pentest findings, and this would make for a great case why to start doing it, so I’ve added it into our templates.
You are right, and the company is definitely to blame. But, compared to how usually other breach happens, I don’t think this company was that much negligient - I mean, their only mistake was as far as I know that they did not force the users to use MFA. A mistake, sure, but not as grave as we usually see in data breaches.
My point was mostly that IMO we should in this case focus more on the users, because they are also at fault, but more importantly I think it’s a pretty impactful story - “few thousand people reuse passwords, so they caused millions of users data to be leaked” is a headline that teaches a lesson in security awarness, and I think would be better to focus on that, instead of on “A company didn’t force users to use MFA”, which is only framed as “company has been breached and blames users”. That will not teach anyone anything, unfortunately.
I’m not saying that the company shouldn’t also be blamed, because they did purposefully choose to prefer user experience and conversion rate (because bad UX hurts sales, as you’ve mentioned) instead of better security practices, I’m just trying to figure out how to get at least something good out of this incident - and “company blames users for them getting breached” isn’t going to teach anyone anything.
However, something good did come up out of it, at least for me - I’ve realized that it never occured to us to put “MFA is not enforced” into pentest findings, and this would make for a great case why to start doing it, so I’ve added it into our templates.