I’m not OK with harshly punishing people for things that didn’t happen but could have. If you drive drunk but get home safely, I do not think your punishment should be the same as if you plowed your car into a crowd and killed dozens of people, even though that could have happened.
Therefore, the person currently in charge of credentials, and not Matthew Keys - who was not supposed to have them, right? He had them because the credentials manager actively gave them to him, and that was a preventable hazard as you say.
Yes, sure, you’d be liable - but you shouldn’t be punished as harshly as the person who didn’t recover the key, nor as much as the actual burglar. There is a scale of responsibility here, and the person who is not employed by the company is not in any way obligated to remediate their security failures. The only reason you’d have any liability at all is because presumably you know that key still works, even though it certainly shouldn’t. If you could produce a policy document from your former employer that unequivocally states that locks are always changed when a master key goes missing, you have even less culpability. Security assurance is not your job, nor are you a cop (presumably). It’s simply not your responsibility to safeguard their keys.
In my opinion an appropriate punishment for the Times would be to have their website defaced and perhaps a small fine, say .5% of their income, levied for failing to secure their infrastructure. An appropriate punishment for Matthew Keys would be 120 hours of community service. An appropriate punishment for the actual hackers would be 400 hours of community service each; they didn’t really harm anyone, but they were trespassing.
