Ask HN:How to warn a company about the security issues if they refuse to listen?
While I was visiting a client, I found out a neighbor has a massive security problem with their online services. It was by luck, I didn't even use hard tools to find it. I am sure real foreign hackers wouldn't stop where I stopped after seeing everything by luck. I didn't do anything malicious, not even tried to penetrate them as I am afraid of any kind of legal responsibility.
This company is working with very large enterprises, as well as the government/defense etc.
----
I tried to contact their executives via LinkedIn, I got no response. (3 people).
I sent 5 emails to their executives after finding their email addresses from various business listing sites. Only one answered to my detailed email saying: "I will forward this email to our IT, if we need your help, we will let you know." And this person didn't even ask the details nor replied my emails any further.
---
It has been 2 weeks, they didn't do anything about the security issues they have with their software. Their incredibly loose system allowing:
-local network and all computers
-backups
-every client they ever had
-clients invoice
-manipulate data of orders and machines
-their core software Database, with full read/write possibility with no restriction or logging
-most importantly, all of their connected client's local IP addresses and so on.
---
I sent them another email today, they seem to ignore. I am extremely baffled that a company can ignore such a warning and don't take action.
---
What should I do? I wasted enough time typing them detailed emails.
12 comments
[ 4.4 ms ] story [ 19.1 ms ] threadScrew 'em, you don't owe them anything. And if they don't want to fix the issue, it's not your problem.
[1]: https://en.wikipedia.org/wiki/Weev
It is a shame that we don't have an organisation, a foundation about this subject.
A place, a website to tell such a risk for user privacy.
Perhaps the RGPD from EU can help?
But aside from that, I can't think of a legal way to proceed. You could of course access customer data and then contact an important customer directly in an anonymous fashion. That'd light a fire under them but you would almost certainly be in violation of the law. The fact that you've already contacted them, presumably using your real-world identity would put you under suspicion swiftly.
But as others have said, what's in it for you? I'd personally file this under "not my problem" at this point.
Certainly, I don't want any legal issue randomly because of a loosely secured company while I try to help them for free. As the other commenter indicated, I wish there was a government department which could take care of this type of things.
Could try emailing security@, hostmaster@?
Shake your head and move on!
I do disagree with one comment here. I would NOT delete your attempts to warn them. You deleting this could be worse for you later, or be seen as you deleting "evidence". As long as you are not doing anything illegal yourself, and you have done nothing to harm this company than you are safer to keep the records. If you do not, and you delete them, you have no proof and they could make later claims against you. Just my 2 cents, but IANAL.
*edit fixed a word
I am moving on! I hope this thread helps the next person who is having somewhat similar situation.
Do it anonymously, if you fear backlash.