It's standard practice and it freaks managers the fuck out, esp if they're not familiar with hacker culture. Maybe the standard practice needs some work? I'm not sure, I understand the perspective of security researchers who want to force action on a fix. But I also completely understand how a deadline is perceived as a threat.
Don't forget that there's lots of gray hat / black hat hackers out there as well, who will begin with an email similar to this, add a bitcoin address for the "bug bounty" in the next, and will end with escalating the price of the "bounty" for the "service" of deleting the data they harvested. It's hard even for tech-savvy managers to figure out which of these you're dealing with. Now put yourself into the shoes of the average insurance company middle manager.
For completeness, I don't think this company's behavior is excusable. I'm just saying that maybe also the security community should iterate a bit more on the nuances of the "standard practice" vulnerability reporting process, with the explicit goal of not freaking people out so bad.
They almost certainly did not. They likely just hired a cheap contractor to get their service up, and went with it when "it worked".
The contractor (who was certainly incompetent) probably looked at a bunch of nightmarishly complex identity API's and said "F** it!", combine that with being grossly underpaid and you get stuff like this.
It's a bad situation, of course, and involving threatening lawyers makes it even more ugly. But I can understand how a very small business (knowing nothing about IT other that what their incompetent contractor told them) might get really offended and scared shitless by some rando giving them a 30-day deadline, reporting them to authorities, and demanding that they contact all affected customers.
Most likely, the insurance company handles the actually insurance policies, claims, payouts, etc themselves, but uses a contractor to build their website, user portals, etc.
Don't forget that there's lots of gray hat / black hat hackers out there as well, who will begin with an email similar to this, add a bitcoin address for the "bug bounty" in the next, and will end with escalating the price of the "bounty" for the "service" of deleting the data they harvested. It's hard even for tech-savvy managers to figure out which of these you're dealing with. Now put yourself into the shoes of the average insurance company middle manager.
For completeness, I don't think this company's behavior is excusable. I'm just saying that maybe also the security community should iterate a bit more on the nuances of the "standard practice" vulnerability reporting process, with the explicit goal of not freaking people out so bad.