Do you mean for hackers or for the companies? Punishing hackers will only work if you can find them and actually get them in a jurisdiction where you can bring charges. As for the companies, the only way to ensure total data security is to use encryption for which not even the company itself has a backdoor, which governments don't want them doing for reasons we're all aware of.
For companies. Here's a good summary by Karl Denniger of what the real problem is, using the CDK Global cryptojacking as the example. tl;dr
But in a corporate environment you, as a user, by design should never be able to see Bob's data unless Bob is in some way subservient to you. Ever. The circumstances under which you can alter that data are even more-restrictive, obviously. There are bugs in all software that can be exploited, in some cases, to violate this separation. But these "cryptojacking" attacks are typically not from that sort of cause; they instead come about because someone authorized the machine to use elevated privilege and thus get "beyond" that individual user's data set.
And let's not forget when Sony had user data and passwords stored in an unencrypted text file.
Do you mean for hackers or for the companies? Punishing hackers will only work if you can find them and actually get them in a jurisdiction where you can bring charges. As for the companies, the only way to ensure total data security is to use encryption for which not even the company itself has a backdoor, which governments don't want them doing for reasons we're all aware of.
For companies. Here's a good summary by Karl Denniger of what the real problem is, using the CDK Global cryptojacking as the example. tl;dr
And let's not forget when Sony had user data and passwords stored in an unencrypted text file.