The vast majority of people have families, and everyone has bills to pay. That doesn't change the fact that he's risking the financial future of dozens/hundreds/thousands of people by failing to take even the most basic precautions.

This is dangerous and if the fastest way to fix it puts him out of business, so be it. I would absolutely put the financial safety of thousands of customers over the financial safety of one business owner.

> That doesn't change the fact that he's risking the financial future of dozens/hundreds/thousands of people by failing to take even the most basic precautions.

If the company in question is storing personal financial details on users? Sure. But credit card numbers? Please. Home Depot lost 56 million CC numbers, and the world did not come to a screeching halt.

You have clearly never had your identity stolen. It consumes you. Dealing with the direct fallout and the associated bullshit is your entire life for years. You think about it when you wake up, during meals, spending time with friends and family, every time you swipe a card for any transaction, and every time you log into any financial account online.

The world might have not come to a screeching halt, but if even one of the owners of those credit cards got their identity stolen, that person's life probably was/will be a living nightmare for years.

It's exceedingly hard to clear up identity theft. It takes years, and an enormous amount of time that's taken out of your personal and work time.

The fastest way to fix a problem is to tell the developers. Not get the authorities involved. I agree, it's negligent but at least give people the opportunity to fix their mistakes, and maybe even inform their customers. I suppose we should shut down every business that makes a mistake with customer information. You can therefore shut down Microsoft, Ebay and all the other organisations that have had data breaches in recent years due to negligence.

Remember the people who send polite emails to their competitors never get to build empires like Microsoft, Apple, Google, Oracle or Amazon.

Perhaps, but at least they can look at themselves in the mirror the next morning.

It's a sad world when you can't send someone who (as far as I can see so far) may just have made an honest mistake or hired the wrong "expert" help a friendly mail, to warn them of something you have (apparently legitimately) discovered that could get them and/or their customers in trouble, all because CYA and Fear The Lawyers.

So I vote for sending the quiet e-mail first, for the same reasons as I'd privately disclose any security vulnerability before making a public song and dance about it. The goal here apparently isn't to screw the other guy, it's to fix the problem. If you can do that by raising awareness courteously with the people who are best placed to apply that fix, isn't that a better strategy than shooting first and dealing with an industry that starts systematically concealing bad practice later?