I would agree fintech companies, or any company managing a lot of PII, must take supply chain security much more seriously than say a fashion blog or a video game. The level of negligence is anchored to the potential for harm, but it is IMO a rare case where a successful company manages without a lot of PII or payment details. Even Deezer, who /only/ sells booze, was sued for a data breach and had to give out thousands of $10 checks in a class action. Their negligence hurt them and their users.
For context, most of my clients are high risk with large PII footprints or various forms of fintech. Even in fintech and banking, dependency code review is unheard of, and supply chain attacks are happening in the wild targeting those orgs.
I kind of do intend to come off alarmist about this, because it is very alarming and is likely going to get a lot more people harmed than it already has.
I think you meant to refer to drizly. I would say this is an example of a company that put their priorities on growth rather than security and it worked out for them. It sounds like Drizly didn't think about security at all, and in the end it cost them 0.6% (worst case they settled for $7M and were aquired for over $1.1B) of their value. Looks like their executive team prioritized the right things to me.
Making a decision for or against more security is more about risk mitigation. If the courts are just going to slap companies on the wrists for data breaches I don't see a strong argument for intense security protocols for your run of the mill e-commerce business.
Ha ha. Yes. Drizly is what I meant to say. Too late to edit now.
I would say it caused them reputational harm as well. It would have likely been a lot less trouble to just hire a capable security engineer or two and do some basics.
To your point, we need these things to hurt a lot more, but it is a start.
People have been conditioned to ignore security. Too many big public incidents, too many emails telling them their data was exposed. They don't care anymore.
For context, most of my clients are high risk with large PII footprints or various forms of fintech. Even in fintech and banking, dependency code review is unheard of, and supply chain attacks are happening in the wild targeting those orgs.
I kind of do intend to come off alarmist about this, because it is very alarming and is likely going to get a lot more people harmed than it already has.