Information Security News mailing list archives

Re: Feds pursue secrecy for corporate victims of hacking

From: InfoSec News <isn () c4i org>
Date: Thu, 7 Nov 2002 04:47:20 -0600 (CST)

Forwarded from: Mark Randall <markus () california com>

On Sunday, November 3, 2002, at 10:30  PM, InfoSec News wrote:

Forwarded from: huggins () airmail net

Let me see if I get this right

I'm xyz bank I haven't taken the initiative to hire a security
mangaer or have hired one but, pay them minimum, they tell me I need
to fix security holes I say nah to expensive.  I get hacked, my user
data base and credit card information is stolen.  Numerous account
users identities are stolen but, because I report it to the FBI I
dont need to disclose it to my stake holders, or customers at will.  
Hmmm! sounds great rob me again.


Aww, c'mon now.  It's at least a step in the right direction.

I remember a couple of years ago, hearing about some eastern bank
(taiwan?  bankok?) that was hacked and lost $50 million.  It wasn't
noticed right away, but when they DID find out, all they could tell
was that $50 million had been transferred to a swiss account, but
within 24 hours, the funds had been further transferred elsewhere.  
The bank decided not to investigate further, for fear that widespread
news of the hack would shake their customer's confidence and end up
being more damaging.

I still find it hard to grasp that something as intangible as
professional reputation can tip the scales enough to let somebody walk
with $50M.

Anyway, my point is simply that many businesses are not going to tell
their investors and/or customers anyway...and this tight-lipped stance
of not reporting usually goes on to prosecutorial or investigative
agencies as well.  So, if they can work out an anonymous system
whereby the company can at least disclose details to an investigative
agency or one that can help with preservation of forensic evidence for
prosecution, etc...then at least that's a step in the right direction.

Sure, they're not likely to disclose such details to their customers
and/or investors, but hey....what can you expect?

---
   Mark Randall



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.

Current thread:

Feds pursue secrecy for corporate victims of hacking InfoSec News (Nov 01)
- <Possible follow-ups>
- Re: Feds pursue secrecy for corporate victims of hacking InfoSec News (Nov 03)
- Re: Feds pursue secrecy for corporate victims of hacking InfoSec News (Nov 05)
- Re: Feds pursue secrecy for corporate victims of hacking InfoSec News (Nov 07)