Hacker News new | past | comments | ask | show | jobs | submit login

There's a lot of commentary on this, but people seem to be conflating a couple of points - namely that this cut all access - everything, and emailed to personal email and not just access to "secure" systems. That is pretty unusual, and not something I've seen.

Typically access to sensitive systems is cut, but cutting everything and notifying to personal email seems unusual. Sensitive information should always be segregated and subject to tight controls, which is easy to sever, and then leave regular email and video conferencing in place - ie. the bare minimum necessary to communicate over a work device.




> Sensitive information should always be segregated and subject to tight controls, which is easy to sever

This, very few people should have access to production data. This is a shocking revelation. I’m reevaluating being a customer of theirs.


In this episode of Coinbase they learn that authentication and authorization are two different things :D

I was similarly shocked that the only control plane they had to limit access to sensitive information was literally terminating everything. They don't have any kind of access control that would allow them to keep an employee in their system but limit their access. How exactly are they running a "finance company" if they don't have these basic protections.

I could see if they were an early stage startup and just haven't gotten around to it, but they are multiple thousands of employees at this point. In every start up I've worked in, implementing access controls ends up being a priority around 100 employees.

I've never used Coinbase but this revelation makes me not want to ever use them in the future.


Email is often "production data" -- it contains personal data, IP, business relationship information and so on. Sending an email from an @coinbase.com is certainly a production action.

It is only fairly recently that locking people out of the office didn't implicitly remove their access to email, memos, letters and so on.


This is true, but most institutions like Coinbase don’t have customers email employees.

Customers email something like “support@domain.com” and that routes to a ticketing system (eg Zendesk), not to people.

And, the vast majority of employees don’t directly interact with customers either.

Well designed controls deliberately keep PII data out of general purpose systems like email, drive sharing, dev ticketing, etc

I agree that the remote move introduces new risks, but those should be minimized by the existing controls in place.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: