The comments on combinator:
I have a real problem with the pretense posed by the article that the club has no blame. They should have understood the risk they were taking on by subcontracting a vendor to collect passports, and better vetted that vendor. Obviously the service provider was completely inept, but that doesn’t absolve the fools using them. I preach to my clients this sort of PII should be treated as a toxic, hazardous substance. Ideally don’t touch it with a 10 foot pole, and if you can’t help it then limit the scope, protect it with strong access policies that severely limit who can touch it (including encryption keys conservatively custodied), and securely delete it all as soon as possible.
Too many companies these days point you to shoddy third parties for some kind of functionality (e.g. book an appointment, perform KYC on you, host the online learning platform for your course, etc.), inappropriately foisting both a new business relationship on you that you never asked for along with their partner’s terms of service that you have no bargaining power in negotiating.
This is a side-effect of the SaaS era, and the model is broken.
jwr 9 days ago | parent | next [–]
If these kinds of breaches were actually costly, then people would indeed treat PII as toxic. But they aren’t. The media brouhaha blows over within a week or so, and things are fine again. Leaking PII should be very, very expensive, and then this idiocy would stop.
Has the link gone down? I get error when trying to access
yeah here’s an archive https://archive.ph/a6Tmo
first off - how is cambridge analytica still a thing in 2026?
They even mention the Cambridge analytica scandal for some reason
Probably AI written and they didn’t put “Don’t make us look like idiots” in the prompt.
That’s exactly what I was thinking
It seems someone re-registered the expired domain and turned it into whatever it is today.
https://whois.domaintools.com/cambridgeanalytica.org
- 299 days old
- Created on: 2025-09-05
- Expires on: 2026-09-05
Wiki says they’re defunct, so some party must have bought their website or something.
[…] PuffPal, a platform that manages membership and age verification for cannabis retailers and clubs across Europe.
Get ready for many more leaks, as governments require identity and age verification everywhere online.
Many organisations, which cannot be trusted with this data, are going to be processing it.
“Oops, welp, better get a new one with a stupid scowling Trump on it!”
– Idiot Administration probably





