Stop Blaming Your Employee, WyzeBy: John Honovich, Published on Dec 30, 2019
Wyze management is at fault for its massive data leak, not its 'employee', as it has centered the blame on.
While blaming an employee is clever marketing, it obscures the real issue here - that Wyze failed fundamentally at providing cybersecurity controls for the millions of users of its service.
Wyze started this in their response to the leak, clearly calling out the employee who made the "mistake":
That narrative continued, culminating in the NY Times leading with the "employee's mistake":
On the plus side, this is clever marketing. By leading with an individual employee mistake, they can garner sympathy. Everyone has made a mistake. Forgive and forget, etc.
Blame Wyze Management
The reality is that Wyze management has to be held responsible. And not simply in a generic 'the buck stops here' way.
Even accepting Wyze's explanation of what happened, the following series of serious errors occurred beyond 'the employee':
- Wyze decided to mass copy and paste customer data. The reason claimed was to "measure basic business metrics like device activations, failed connection rates". Why did they need to include customer email addresses, WiFi SSIDs, heights of customers, etc. to accomplish that? Was that the fault of the same 'employee'?
- When the 'employee' 'removed' the "security protocols for this data", why did no other employee or manager at Wyze check this? Can employees simply unilaterally remove security protocols or copy and paste customer data? Beyond that, why was there no automated way to be alerted for this immediately?
- How did this mistake remain unfixed for weeks? How did no one at Wyze notice it was publicly listed online? How long would the mistake have been unresolved if Twelve Security did not publicly report it? Are there no other 'employees' at Wyze that monitor for these things?
Wyze is an excellent marketing and customer support organization - full stop.
But they are a poor engineering organization that rests heavily on other companies like their PRC China manufacturer Tianjin Hualai Technology.
Likewise, for their AI video analytics, they depended on XNOR.ai, with that partner abruptly canceling on them last month.
For a company that is literally named 'Wyze Labs', the reality is that their technical capabilities are insufficient for the massive customer scale they have now reached.
We are not the only ones who see a problem in blaming an 'employee', for example:
Move Fast And Leak Customer Data
Not only is a Wyze' 'employee' at fault but Wyze emphasized their 'extremely fast growth'.
While some may say that the era of 'move fast and break things' is over, evidently not for Wyze.
Wyze has grown extremely fast. Their unmatched combination of super low-cost China technology and American e-marketing has made them a major security provider.
Now, the company's management needs to accept the responsibility that comes with their size.