Current Insight Community Cases

Essential Datacenter Tips On Application Performance Monitoring

The Importance Of Skilled Immigrants To The American Economy

Help A New Kind of Music Label Revolutionize The Industry

Mandates To Buy American Should Be More Carefully Considered

Navigating The New Business World After This Recession

Shut Us Up

-- For Only $100 Million

Brought to you by Floor64 and the Techdirt crew.

stories filed under: "data breach"
Studies

Studies

by Mike Masnick

Mon, Jun 8th 2009 8:32pm


Filed Under:
auditor, cheating, data breach, liability, security



Security Pros Cheating During Audits?

from the oops dept

We were just discussing if a security auditor should be liable for giving a company a passing grade if there's later a security breach. Considering that it's pretty much impossible to be perfectly secure, and there were always some things that could go wrong, it seemed like a bad idea to hold auditors liable, except in situations where there was obvious fraud or gross negligence. And now, there's evidence that security professionals may try to trick auditors, raising even more questions about why auditors should be liable. Michael Scott points us to the news that a recent survey of security pros found that 20% admit to having cheated or knowing others who cheated in order to pass a security audit. Now, the phrasing can be misleading -- by saying that "they did or they know someone who did" it could (in theory) just be one guy who cheated... who happens to know a lot of other security professionals. So, it would certainly require a bit more research to determine how widespread the cheating is. It's also not clear how many times the cheating occurred. If it's every audit, that's one thing. If it just happened once and the issue was fixed, that's quite different. Still, it's more evidence that you can't just blame the auditors -- especially when the security pros at the company may not be completely truthful in providing info to the auditors.

5 Comments | Leave a Comment..

 
Legal Issues

Legal Issues

by Mike Masnick

Tue, Jun 2nd 2009 6:08pm


Filed Under:
auditor, data breach, liability, security



Is A Security Auditor Liable If There's A Security Breach?

from the we-may-find-out... dept

Wired is discussing the suddenly relevant legal question of whether or not a security auditor should be held liable if it claims a company's data is secure, and then there's a data leak. The specific lawsuit in the spotlight right now involves Savvis -- who had audited the security of CardSystems' computer systems and determined that the company "had implemented sufficient security solutions and operated in a manner consistent with industry best practices." As you may remember, CardSystems was later found to have had a massive breach of credit card data (for a while, until recently surpassed, it was considered the largest ever credit card data breach). So Savvis is now being sued for claiming that CardSystems' systems were secure. This is certainly a tough one. Obviously, it's no good if security auditors are simply rubberstamping things -- but it's impossible to be fully confident that a system is secure, and there can always be a leak somewhere. So holding auditors liable for any such leak could make it prohibitive to even be an auditor -- with the end result being fewer auditors, and potentially less actual security. But... at the same time, you certainly want there to be some incentive for the auditors to take their job seriously. It seems like in the absence of clear negligence on the part of the auditor, that it's a bit extreme to put any liability on the auditor.

25 Comments | Leave a Comment..

 
Scams

Scams

by Mike Masnick

Tue, Feb 24th 2009 6:10pm


Filed Under:
credit cards, data breach

Companies:
mastercard, visa



Escaped The Largest Credit Card Data Breach Ever? Well, Here's Another One...

from the just-assume-someone-else-has-your-cc-info dept

Remember last month when a credit card payment processor was forced to admit a security breach that could impact 100 million people? Well, if you were lucky enough not to get caught up in that breach, there's apparently another one to worry about. Visa and Mastercard are issuing a new warning over a different payment processor whose system was apparently compromised as well. At this rate, it's getting silly to have static credit card numbers, since it seems like we're replacing our cards every few months anyway.

14 Comments | Leave a Comment..

 
Scams

Scams

by Mike Masnick

Fri, Nov 7th 2008 3:20pm


Filed Under:
data breach, extortion, fbi, medical benefits

Companies:
express scripts, fbi



Another Day, Another Big Data Breach

from the do-people-even-pay-attention? dept

These days, it's probably best to just assume that any private data you've ever provided to a company is public. Given the pace at which the data you've entrusted to companies is leaked, whether via malicious hackers or via company carelessness, it's almost as if the exception to the rule is a company that's actually been able to keep your data safe. So it's hardly surprising that Express Scripts, the massive medical benefits management company, has said that its records appear to have been compromised. Apparently, the company was sent a note, detailing the medical records of about 75 people, with an extortion threat telling the company to pay up or face the exposure of millions of patient records. The FBI is now investigating. Still, we're reminded once again that companies have very little incentive to really keep your records straight. It's almost reached the point where these stories are barely worth commenting on, since they're so common. There's something quite depressing when you realize that these sorts of data breaches are barely even newsworthy any more.

6 Comments | Leave a Comment..

 
Scams

Scams

by Mike Masnick

Wed, Aug 6th 2008 12:45am


Filed Under:
credit card theft, data breach, organized crime

Companies:
tjx



Eleven Charged In Massive TJX Data Loss... But Many Are Still Overseas

from the this-is-hardly-over dept

We've had numerous posts about the massive (some say the largest ever) data breach by TJX, parent company of retailers like TJ Maxx and Marshalls. So, it's certainly worth mentioning the story making headlines that the "culprits" of the breach have been charged in the case, but it shouldn't exactly put your mind at ease about these breaches. After all, the credit card info they accessed (over 40 million cards by most accounts) is still out there, though many card holders have already changed their numbers. But, more importantly, it sounds as though most of those responsible aren't in the US at all and are basically sitting free in Eastern Europe and Asia. Hell, one of those "charged" is only known by his online username, with no indication where he might be located. So, yes, it's good that the feds tracked down some of the folks responsible, but most of them are probably still out there getting access to the credit cards your provider sent you to replace the ones compromised by these guys in the first place.

14 Comments | Leave a Comment..

 
Legal Issues

Legal Issues

by Mike Masnick

Tue, Jan 8th 2008 7:01am


Filed Under:
class action, data breach, privacy

Companies:
sears



That Didn't Take Long At All: Sears Sued For Data Breach

from the $5-million,-please dept

Well that didn't take very long at all. Late last week, it was revealed that Sears.com was revealing past purchases to anyone who knew your name, address and phone number -- a violation of Sears' own privacy policy. And, by Monday, we have a $5 million class action lawsuit against Sears. While I do think Sears made a huge mistake here, the class action lawsuit seems a bit extreme. There's no evidence that anyone was actually hurt by this -- and while it was a dumb move by Sears, it's not difficult to understand how it likely came about. Chances are Sears will settle this quickly just to get it out of the news, but really the only winners will be (as per usual) the lawyers.

25 Comments | Leave a Comment..

 
Search Techdirt
And now, a word from our Sponsors..
San Francisco Music Tech 2009
15% off discount for Techdirt Readers



Popular Posts
Poll

Which Internet Concern Worries You The Most?

 

 

 

 

 

 


Add Techdirt RSS To Your Reader
rss Add Techdirt to your Bloglines
Add Techdirt to your Google Add Techdirt to your My Yahoo
Add Techdirt to your Netvibes Add Techdirt to your Newsgator
Subscribe to Techdirt's Daily Email Newsletter

Techdirt's Daily Email Newsletter

Older Stuff

Monday

6:06am: Dear Rupert: You Don't Succeed By Making Life More Difficult For Users (70)
4:20am: ESPN Writer Suspended From Twitter (59)
2:10am: School Can't Handle Critical Community Message Board; Sends Legal Nastygram (21)

Friday

7:39pm: Liberian Laws Are A Secret Due To Copyright; Even The Gov't Doesn't Have Them (43)
6:56pm: Lily Allen: It's Ok To Sell My Counterfeit CDs, Just Don't Give My Music For Free (97)
6:10pm: EFF Looks To Bust Bogus Podcasting Patent; Needs Prior Art (34)
5:28pm: Google Blocking Set Top Boxes From Showing YouTube Unless They Pay Up? (63)
4:44pm: Entertainment Industry: Yes, Please Keep Negotiating Secret Copyright Treaty To Save Our Asses (43)
4:02pm: If Google's Book Scanning Violates Copyright Law, What About The AP's Book Scanning? (21)
3:05pm: iPhone App Developer Backlash Growing (49)
2:14pm: Norwegian Band Told It Can't Post Its Own Music To The Pirate Bay, Even Though It Wants To (24)
1:08pm: If You Only Share A Tiny Bit Of A File Via BitTorrent, Is It Still Copyright Infringement? (79)
12:00pm: UK Digital Economy Bill As Bad As Expected; Digital Britain Minister Flat Out Lies About ISP Support (25)
10:57am: NPR's Daniel Schorr Blames The Internet For Ft. Hood Shootings (37)
9:49am: No, ACTA Secrecy Is Not 'Normal' -- Nor Is It A 'Distraction' (28)
8:33am: Murdoch's The Times Accused Of Blatant Copying, Just As It Tells The World You Should Pay For News (27)
7:15am: Copyright Extension Moves To Japan (24)
5:46am: Canadian Ebook Store Offers 'Free' Public Domain Ebooks -- Claims Copyright Says You Can Only Make 1 Copy (26)
4:01am: There Are Lots Of Ways To Fund Journalism (14)
1:49am: Winner Takes All, Long Tails And The Fractilization Of Culture (10)

Thursday

10:37pm: The Lobbyists' Ability To Control The Message (29)
8:11pm: In Going Free, London Evening Standard Doubles Circulation While Slashing Costs (27)
6:10pm: Senate Exploring Med School Profs Putting Names On Ghostwritten Journal Articles In Favor Of Drugs (22)
4:52pm: What Does It Say When A Comedy Show Does More Fact Checking Than News Programs? (56)
3:33pm: Nordic Music Week: Optimism Galore And Found Songs (11)
2:10pm: Would Top Sites Really Opt-Out Of Google Based On A Microsoft Bribe? (37)
12:57pm: Intel Lawyers Again Go Too Far In Trademark Bullying (24)
11:43am: Mandelson Wants Gov't To Have Sweeping Powers To Protect Copyright Holders (40)
10:47am: Once Again, Walmart Stops People From Printing Family Photos Due To Copyright Law Claims (42)
9:39am: Essayist Writes Popular Essay... Then Sends 'Non-Negotiable' Invoice To Church Who Posts It Online (61)
More arrow
Quick Links
Close
E-mail It