So because companies A through X are irresponsible with data, customers should regard that as acceptable and give company Y a free pass to do the same? I don't understand how a reasonable analysis of the situation can come to that conclusion.
You don't know the names of companies A through X, or supposedly safe Z for that matter. All you'll be doing is an enormous amount of work and bother to move from Y to, lets say, A, because you think you'll be more secure but unfortunately if anything its probably the other way around, its just that A hasn't been hacked... yet... so far as they know...
none of them get a free pass they all suck, but the one that just got busted is probably going to be a little more security focused in the near future.
Hmm stay at a place that just got burned, or expend lots of effort to move to a place that hasn't been burned yet...
"Because Nigerian princes A through X are irresponsible with your cash, budding lottery winners should regard that as acceptable and give Nigerian prince Y a free pass to do the same?"
Of course not, and this drives to the very core of risk management. I've signed up for some very shady online services in my time, doing so in the full knowledge that should a product or service not be rendered as advertised, I am guaranteed to be able to reverse the relevant charge. Even when I the consumer am doing something shady (in a case last month, attempting to import goods I knew weren't certified for the EU), the system still works for me. This is the sole reason I use a credit card rather than, say, my current account's Visa number.
It's not even about assessing the risk of whether or not you're going to get ripped off, but whether or not a particular company will cause you the inconvenience of the aforementioned phone calls.
If you work on the assumption that you card data is safe, you quite simply aren't safe enough to be in possession of a computer or card. Credit cards aren't built on that assumption, instead their entire motivation is based on risk profiling both the consumer and merchant, and terminating agreements when various thresholds are reached. In return the industry guarantees that in the minority of cases where things go wrong for the consumer, the problem can be corrected swiftly.
It's understandably upsetting that their customer database might have leaked, and I can genuinely understand peoples' concern over that. But as 4chan has taught us, there are very few people left in the west whose address and telephone number aren't available within even an hour's Googling.
As for locating confidential data on machines shared with other customers and managed by a piece of unaudited software, I have no sympathy for that. That's the price of a VPS, and why it's so heavily discounted compared to real hardware.
