I believe it was a tweet https://twitter.com/patio11/status/664551822120476672 which was interpreted as chiding the victims for being thin-skinned in the attack upon them. (Secure systems thrive and survive only if they can take on all stressors and remain robust.)

While Patrick seemed to be focusing on the abstract notion of security mechanisms needing to welcome malicious scrutiny, the strong reaction against his tweet was based on the observation that Patrick failed to take into account the real, human cost of such an attack. This was further compounded by the fact that often, research requires IRB approval to determine whether the research is ethical, and the evidence is that CMU's actions weren't ethical. Yet Patrick felt it necessary to opine without understanding the ethical component of such an attack.