Uber paid $100K to protect 57M people?

Good.

I think people forget the goal is actually to prevent harm.

Yeah, those hackers could totally have kept the data. But then, their identities were known, and they knew they might face consequences.

Not ideal, welcome to the real.

I suspect they told themselves that if the data never hit the open darkweb markets, then it was still in a "controlled" state. That's a tough assumption to make unless you know things not yet disclosed about the attackers.

I have absolutely met people sketchy enough to grab the data, maybe or maybe not sketchy enough to sell the data to bad people, but who would _absolutely_ prefer to sell the data back to the victim for a price. Totally, 100%, said it out loud.

Yeah, they didn't notify. And yes, that's a problem. I didn't defend the silence, only the ransom payment. Because people do that, for ransomware, for kids, for this.

But, what I'm interested in, is, OK, they had a breach, they report it, what does *everyone* do next?

If it's just rage at Uber, and nothing else, how is anyone safer?

What next. That's the user safety view.

I specifically wanted to make the point that it's not a coverup if there's a chance you can *actually mitigate harm*, which is the *goal* of the disclosure legislation. But that legislation assumes people can do some magic thing once they have knowledge. Can they? Really?

I am not bothered in the slightest that they tried to suppress the harm. People are correct that they still had an obligation to breach report, unless they had some remarkable and undisclosed reason to believe that unnecessary.