That's just victim blaming. The same logic applies to every crime: "lock your doors if you don't want your TV to be stolen!".
It also works at any level of security: "Lock your doors and hire guards if you don't want clever thieves breaking a window..."
But if you require everyone to take adequate measures to physically secure their houses, you don't even need laws and morality!
And while this may provide the sort of negative reinforcement you are hoping for, actual damages in each case are going to be all over the place. That makes this one of the worst possible punishments. Imagine the penalty for speeding is a random outcome somewhere between a stern reminder and the death penality. There would be nothing fair and little useful about that, even though it does follow the same basic principle of do bad -> be harmed.
You're not thinking of the right victim. You're considering the organizations who compiled the databases in question. If the databases are composed entirely of their own information that they created themselves, then sure they've suffered a loss. In most cases, however, these databases include privacy-sensitive personal information about the customers of the organization. Those customers have been victims of bad security practices ever since MongoDb was first installed, and this "meow" hack has ended their victimization.
> But if you require everyone to take adequate measures to physically secure their houses, you don't even need laws and morality!
If laws and morality were sufficient protection against malicious actors, I might agree with you.
However, in a world where cyber vandals are often beyond any accessible jurisdiction (and may even be supported by their local authorities), laws and morality are clearly not effective at keeping unauthorized users out of private systems. As such, the responsibility for keeping private information secure naturally falls on the people running the systems.
Putting up a network firewall (or at least requiring authentication) would have prevented the damage described in the OP, and is a rudimentary security measure that has been common practice for decades. The people who suffered significant damage from this attack should strongly consider outsourcing system administration to someone who knows what they're doing.
the truth is in the middle you have to take some responsibility, but yes of course some blame goes to those who also make it possible. If people just throw their hands up and say they're victims and have no responsibility to secure their systems then they will always be victims.
It also works at any level of security: "Lock your doors and hire guards if you don't want clever thieves breaking a window..."
But if you require everyone to take adequate measures to physically secure their houses, you don't even need laws and morality!
And while this may provide the sort of negative reinforcement you are hoping for, actual damages in each case are going to be all over the place. That makes this one of the worst possible punishments. Imagine the penalty for speeding is a random outcome somewhere between a stern reminder and the death penality. There would be nothing fair and little useful about that, even though it does follow the same basic principle of do bad -> be harmed.