In the wake of yet another high-profile data breach, I find myself returning to a question that’s haunted me for years—long before it was a headline:
How far does responsibility extend when a company’s security failure leads, indirectly or not, to your personal loss?
For me, this isn’t an abstract debate. It’s lived experience. In fact, it’s the story I tell in my book Undermined—a personal account of how I lost $31.5 million in cryptocurrency to a SIM swap attack, and the long shadow that breach still casts over my life.
But even that headline doesn’t tell the full story.
The Attack Didn’t Start in Crypto
In both of the major thefts I endured, the breaches didn’t begin on a blockchain. They started with third-party services—companies completely outside the crypto space. Yet those same companies became the access points that attackers used to worm their way into my digital life.
- A telecom provider’s lax internal controls allowed a criminal to port my phone number.
- An email provider failed to alert me to unauthorized access.
- The very infrastructure I relied on for security—two-factor authentication—was turned against me.
By the time the attacker drained my wallets, it was already over. I didn’t lose my assets because I made a bad trade. I lost them because someone else failed to protect my identity, my access, and my data.
And that’s what still infuriates me today.
Who Is Actually Liable?
This is the hard question I’ve been wrestling with ever since:
Should companies be held accountable when their security failures contribute to a breach—even if the actual loss happens elsewhere?
Because here’s the reality: data breaches rarely happen in a vacuum.
In today’s digital ecosystem, your identity flows through dozens of platforms—banks, social networks, telecom providers, e-commerce sites, cloud services—and any one of them can become the weakest link.
So when a breach occurs, and someone uses that breach to impersonate you, steal your access, and empty your crypto wallets… shouldn’t some of that responsibility fall on the company that let it happen?
It’s like this: if someone steals a master key from your apartment building’s front office and uses it to rob your unit, are they the only criminal? Or does the building share some of the blame for not securing the key in the first place?
The Burden of Being the Victim
When I wrote Undermined, I wanted to do more than recount how my digital life was dismantled—I wanted to expose the invisible systems we trust every day. The book is as much a cybersecurity cautionary tale as it is a personal memoir. It documents how the interplay between corporate negligence, lack of accountability, and underregulated digital services created a perfect storm that cost me everything.
Since then, I’ve watched countless other victims—many of them unaware of how vulnerable they are—fall through the same cracks.
And what infuriates me most?
No one steps up. Not the telecoms. Not the email providers. Not the banks. Everyone points fingers. No one accepts blame. And victims are left cleaning up the wreckage alone.
Where Does the Chain of Responsibility End?
We have to ask hard questions about how far down the chain accountability should go.
- Is a company responsible for a breach that leads to identity theft on another platform?
- Should a telecom be liable if a SIM swap attack enables access to a crypto wallet?
- What if a cloud provider’s breach leads to compromised documents that fuel a phishing campaign?
If the answer is always “not our fault,” then we’re sending a dangerous message:
That data security doesn’t matter unless the breach happens on your platform.
But in the interconnected world we live in, that’s a lie. Data doesn’t respect corporate boundaries. Neither do attackers.
What Needs to Change?
After years of dealing with the fallout, here’s what I believe must happen:
- Third-party breach responsibility must be recognized.
Companies whose data is exploited in downstream attacks should face legal and financial accountability, just like if their systems directly caused a breach. - Default security needs to be mandatory, not optional.
Telecoms, banks, and tech companies should be held to strict standards for multi-factor authentication, identity verification, and breach response. - Transparency should be the law, not a favor.
Victims should know exactly what data was leaked, how it can be exploited, and what mitigation is being done. We shouldn’t need lawsuits to get that information. - Cross-platform liability frameworks need to exist.
Right now, each company treats your data as only their problem—until it’s not. We need legislation that recognizes the shared nature of identity and access in the cloud age. - Crypto isn’t the villain here—lack of responsibility is.
Critics like to blame crypto for enabling theft. But the truth is, crypto just exposes what has always existed: brittle systems, lazy security, and companies unwilling to own their failures.
Final Reflection
Undermined was my way of clawing back power—of reclaiming a narrative that was almost stolen from me along with my Bitcoin and DigiByte.
But the deeper I dive into these issues, the more I realize that what happened to me wasn’t rare. It was inevitable in a system designed to protect profits over people.
If we ever want to live in a world where digital freedom and decentralization can truly flourish, then the burden of trust can’t fall entirely on individuals.
It must be shared by the corporations who hold our data, our identities, and—too often—our fate.
So I’ll ask it again, not just for me, but for everyone who’s been in my shoes:
How many layers deep should accountability go?
Because right now, the layers feel endless—and the safety net is nowhere to be found.
