Penetration Testing mailing list archives

Re: reporting a web site breach

From: "Jamie Riden" <jamie.riden () gmail com>
Date: Thu, 16 Oct 2008 21:23:06 +0100

Will the local CERT act as an intermediary? Worth a try, as they will
have a bit more clout than you as a private citizen.

I know AusCERT has good links in the financial community in Australia
for example. Where is the site based? They could well be in breach of
local laws if they're exposing that sort of data.

cheers,
 Jamie

2008/10/16  <jason_jones98 () hotmail com>:

Hi Guys.

I need some advise. I was using a web site to book a service (details witheld) and found that i could very easily 
browse thousands of customer details i.e. name, address, phone numbers, the credit card details are masked but just 
viewed source and the credit card details are cleartext along with valid from, expire and cvv number. I called the 
company last night to advise that they probably want to bring down their site and advise customers that their details 
have been potentially breached, basically they told me it would cost them too much money to go offline and that was 
that! I then attempted to call visa, mastercard and the high tech crime unit and none of them seem to have a process 
to report this type of event unless an actual crime has taken place. So for my sanity could someone advise me on the 
ethical steps i should take to try and protect those customers?

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------


-- 
Jamie Riden / jamesr () europe com / jamie () honeynet org uk
UK Honeynet Project: http://www.ukhoneynet.org/

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------

Current thread:

Re: reporting a web site breach, (continued)
- - - Re: reporting a web site breach David Glosser (Oct 16)
    - Re: reporting a web site breach Jason Ross (Oct 17)
    - Re: reporting a web site breach David Glosser (Oct 17)
    - Re: reporting a web site breach Email Cash (Oct 17)
    - RE: reporting a web site breach Nick Vaernhoej (Oct 17)
  - Re: reporting a web site breach acey deucey (Oct 16)
    - Re: reporting a web site breach Chris Finley (Oct 20)
    - Re: reporting a web site breach Dotzero (Oct 20)
    - Re: reporting a web site breach David Glosser (Oct 20)
- Re: reporting a web site breach David Glosser (Oct 16)
- Re: reporting a web site breach Jamie Riden (Oct 16)
- Re: reporting a web site breach Jason (Oct 17)
- reporting a web site breach jason_jones98 (Oct 17)