>The database dates back to April 2017 and was uploaded a year later to a web server, believed to be owned by the organization, with no password protection.
A hallmark of negligence right there. Hard to grasp why the protocols weren't followed in this specific instance by Texas State University (which was hosting the database) given the extreme sensitivity of the information content and adverse fallout that could result -- public exposure of personally identifiable information of thousands of law enforcement personnel across the country.
A perfect example of what happens when data security and integrity protocols are taken for granted.
> Hard to grasp why the protocols weren't followed in this specific instance
My ignorant guess, someone who could have made an active decision instead vaguely thought "we're not that interesting, who would even know we exist, it would take time and money to learn how or find someone who knows ... squirrel!"
Relying solely on security by obscurity is an extremely sub-optimal method of guarding sensitive data. It's better to be safe than sorry in every instance when it comes to private information imo.
As of now, there are 3 major data leak stories on the HN front page at the same time.
Passwords can at least be changed, but data leaks are basically entropic; there's no way to reverse the damage. I don't want to stop holding leak sources accountable for what they lose, but from a personal viewpoint I'm now more interested in mitigation than prevention...
I meant socially, as a tech community - I'm wondering how to strike a balance between "realistically, your information will get leaked, plan accordingly" and "but that doesn't make it okay".
Legally, or even on a consumer level, I don't see any kind of meaningful consequence. And the rate of data loss probably won't go down until that changes.
Have I Been Pwned already considers data breaches in scope - it surprised me a bit that it reported things where my password wasn't at risk at all but my data was leaked and there was nothing I could do about it. (In particular there was one breach of data scraped from publicly available data from GitHub, where there was neither anything I could do about it nor anything I wanted to do about it.)
A hallmark of negligence right there. Hard to grasp why the protocols weren't followed in this specific instance by Texas State University (which was hosting the database) given the extreme sensitivity of the information content and adverse fallout that could result -- public exposure of personally identifiable information of thousands of law enforcement personnel across the country.
A perfect example of what happens when data security and integrity protocols are taken for granted.