Do you have any idea how much it costs to clean up after an "intrusion" or "data breach"?
Of course, it's unfair to blame all those costs on the guy who had to go as far as actually escalating his privileges in order to unmask the Rails developers for being such knuckleheads.
The CEO might not be to blame for the breach but he is responsible.
Personally, I think it's good that the CEO has lost his job over this. It's the sort of incident (along with the cost of Sony's breach[1]) that can be used as a cautionary tale pour encourager les autres to take security seriously.
Yeah, that's pretty bad blaming one employee when a single security hole on a single server resulted in the loss of personal information for 146 million people.
You leave a job, you keep the keys to your office, your employer forgets to take them back, you then deliberately copy the keys and hand them out to vandals. What court in the world would put any of the responsibility for that on the company?
Trib didn't spend millions in cleanup, but if any breach investigation were done --- to rule out the attackers having done things to retain access after credentials were revoked, and to ensure Trib's clients that no PII was taken --- would easily run into the mid tens of thousands.
"Blame the Hacker" is a tried and true way of deflecting attention from internal issues to the outside. It's akin to claiming an act of god in old times, as soon as you cross that line you're supposedly in the clear because, after all, it wasn't you that was the problem.
I suspect several of the higher profile data leaks and acts of vandalism that were blamed on outsiders but where subsequent follow up was never shown to actually prove that this was the case were in fact inside jobs, especially in those cases where the company did not file the issue with the authorities.
I think that if a company claims 'a hacker did this' that they should provide conclusive evidence and absent that we should simply assume that it really was an inside job.
What a short-sighted comment. Dig a little further down. If this is their reponse to an issue that affects three customers it sends a message that every customer is important. Their reponse makes me, a potential customer, trust that they take these matters seriously.
Obviously you can also take the opinion that this should have never happened and question their competence and security. I personally weigh their response and transparency more than the issue itself, but it may seem easier since the impact to overall customers was relatively small.
Their response seems to have been handled well and may even generate some positive PR. That may change if it turns out to have been one of the recent Rails security flaws.
> My guess is their local workstation was compromised
Honestly I don't think it was even that complicated, considering when I needed to spend money on some SaaS product the "chief accountant" (because there was no CFO) straight up sent me a photo of the corporate credit card and said "delete that when you're done".
I don’t see how any of this was the executives fault. They have no idea of computer security and hired people who they thought were competent to handle it.
Perhaps, but what I can blame them for is for having very poor monitoring (50% failure rate and nobody noticed??) and poor security, culminating in this data breach.
People need to be held accountable for the security of their systems when they are storing personally identifiable information on customers or the public at large.
Edit: Perhaps they shouldn't be blamed when someone leverages a zero-day to break in, but if this is due to their failure to patch their systems, IMO their 100% liable for everything that follows.
Further: Keybase is a security product and it wasn't deemed worth the risk for the CEO. And while Keybase isn't made of money, the $5k was roughly irrelevant compared to the other costs mentioned here and the _magnitude of the risk_.
If you haven't been through this kind of thing, it's hard to understand how scary it is to have a break-in of unknown origin. If you use strong, unique passwords as Max did, then you're almost certain it's a server break in (and again, this is why Slack is scary for sensitive info)...but being 99% certain isn't enough. Removing that computer permanently from the team gave peace of mind.
That's no excuse. Someone in senior management has been bribed? You have a serious security breach unreported, undiagnosed? That's a whopping shareholder lawsuit coming at you if you don't hunt it down and terminate it.
Where your first argument falls apart is the other several million users who had their data breached didn’t have compromised accounts. It quite literally isn’t their responsibility or problem at all.
It would completely depend on the severity and cost of the breach. This one was huge and cost Target millions (maybe a billion, Im not sure honestly). For sure the head of IT and CEO would be purged in a situation like this one.
Why would you assume a security researcher who put in that much effort and kept the pastebin mostly anonymous didn't put in the effort to contact Panera Bread?
Is there a reason you automatically assume that the security researcher is irresponsible, but companies, who almost daily, have data breaches, are responsible in these scenarios?
"Hey, maybe you should contact the company?!" Thank you captain fucking obvious.
The level of incompetence on NCS's part is criminal, they absolutely deserved what they got. It could have been much worst, as in the malicious actor finding a way to insert code that makes it into production and then exfiltrating sensitive data to be sold on the dark web. Luckily Kandula wasn't smart enough to think like one of us.
NCS sounds like a clown show based on this article. The administrator credentials should have been changed as soon as Kandula was let go. Ideally, these credentials shouldn't have ever been used and everyone should be acting as themselves with a elevated privilege step.
As for the $678k in damages, why didn't NCS have snapshots that they could have quickly restored? Sounds like their BCDR plans need to be reviewed and updated.
Of course, it's unfair to blame all those costs on the guy who had to go as far as actually escalating his privileges in order to unmask the Rails developers for being such knuckleheads.
reply