Being charitable, I think the more likely explanation is that CTOs/CFOs do not understand how easily these things can happen, and how much data can be exposed by a "small" mistake.

One line of code can expose 30,000,000 records. That's hard to get your head around if you are not a programmer.

From the description, this wasn't one line of code, this was a major design oversight. Either nobody is security conscious on the dev team handling their mobile/web services, or it's just one guy with no code review on major components, or people who complained were tuned out, ignored, placed in low priority, or some other totally irresponsible managerial action.

You have to have a lot of bad process in place for something like this to get in.

A few years ago, sure - but now, after countless breaches? Cyber attacks are regularly in the news these days.

We get around this by limiting our databases to only 1000000 records per codebase. Then we duplicate the codebase 30 times (with tweaks) for 30000000 records.. but at least in the retrospective we'll say there was 30 lines of code at fault, not just 1

You would think so.... but I've seen big companies with security type departments, who operate in the tech industry, that have executives that represent them well.... and they spend a lot of time explaining to other executives why they shouldn't sue that security researcher who just did us a favor.... or why engineering really should maybe fix that bug rather than put it off...

Even in companies where good people try to do the right thing security fails not just like this case where they just chose not to act, but also because nobody else at the company cares / is knowledgeable enough to care.

They hired the former head of security for Equifax. You can't get much more serious about security than that.

In retrospect that’s a hilarious statement but at the time it did make a lot of sense.

What cost?

Happy for someone knowledgeable to turn this into a non-rhetorical question.

cost == bad;

Why? What do they lose? Equifax for example is doing just fine. They don’t feel the pain, we do.

We are not Equifaxes customers. We are Panera Bread's customers. There is some risk if you directly expose the customers. There is less risk if you lose a third parties data.

You think people are going to stop buying Panera Bread because of this?

There are no fines. People don't stop purchasing stuff from them.

The risks of not following security practices are so low that it makes logical business sense to not care much about them.

Now, say if we add fines on these security breaches. Proper fines, say % of global revenue type fines. Then yeah, they'll start caring.

Until then, wait for more of these security breaches.

> You think people are going to stop buying Panera Bread because of this?

Well, I am, yeah.

Just from speaking to my friends who are not tech people and regular Panera Bread customers. They don't care. Sorry for using this language but as a direct quote one of them said "dude who gives a shit, everyone is leaking shit these days."

The company won't notice unless the rest of the people with your identity stop, too.

Making upfront, definitively costly investments in order to avoid potential negative future consequences, is a hard one to justify.

Especially when the future consequences barely exist. It's very rare for a breach to have serious impact on a company, relative to other areas the company could invest.