Full Disclosure mailing list archives
Re: Bank of the West security contact?
From: Jeffrey Walton <noloader () gmail com>
Date: Tue, 18 Mar 2014 18:28:37 -0400
On Mon, Mar 17, 2014 at 12:37 PM, Jeffrey Walton <noloader () gmail com> wrote:
On Mon, Mar 17, 2014 at 12:15 PM, Kristian Erik Hermansen <kristian.hermansen () gmail com> wrote:Just wanted to post a follow-up to this and provide some context to make it known: * Bank of the West was contacted in 2011 to report a security issue * No response for 2 years * In late 2013, I receive a breach notification saying my own sensitive personal information was compromised via the EXACT SAME ISSUES I REPORTED. I also am led to believe employee information was compromised, which may include Social Security Number (SSN) details. Conclusions? * Bank of the West has NO WORKING SECURITY REPORTING MECHANISM for outside researchers and NO BUG BOUNTY PROGRAM * Bank of the West does not seem to take security and privacy seriously enough, as far as I can tell You should know this if you are an existing or potential customer / employee of Bank of the West...The risk equations favor "do nothing". Its cost effective to simply persue profits and not spend money on data security. If (when) they are breached, it only costs them the cost of a notification. In the US, that's the cost of bulk mail [0]. 46 states, DC, and Territories have Data Breach laws, and nearly none (none?) have any useful provisions for damages. [1] You can't recover for your time lost or services like credit monitoring. Every class action get tossed out [2]. I've never seen one go to court, and I've been watching them for years.
I might just stand corrected here (if it withstands appeal): http://www.slyck.com/story2351_Data_Breach_Settlement_Class_Action_Lawsuit_Wins_Appeal_in_Court: With so many recent data breaches and lacking security measures in place, we know that there are likely to be many more lawsuits forthcoming. However, in what’s believed to be a first win for a class action lawsuit as a result of a data breach where none of the plaintiffs suffered identify theft or direct losses, AvMed, a Florida-based health insurer, lost its case in court to the tune of a $3 million settlement agreement. On February 21, 2014, a federal judge in the Southern District of Florida approved an Order granting motion for final approval of a Class Action Settlement Agreement, and filed a motion for attorneys' fees and expenses, as well as for incentive awards. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Bank of the West security contact? Kristian Erik Hermansen (Mar 17)
- Re: Bank of the West security contact? Jeffrey Walton (Mar 17)
- Re: Bank of the West security contact? Jeffrey Walton (Mar 18)
- <Possible follow-ups>
- Re: Bank of the West security contact? Florian Weimer (Mar 18)
- Re: Bank of the West security contact? Jeffrey Walton (Mar 17)