Penetration Testing mailing list archives
Re: reporting a web site breach
From: acey deucey <aceinyaface () gmail com>
Date: Thu, 16 Oct 2008 21:12:24 -0400
I think Jason has done more than his duty. I second calling a reporter. That will certainly get some atention. Hell, contact 10 reporters.
On Oct 16, 2008, at 15:58, "Prodigi Child" <prodigi.child () gmail com> wrote:
If the company refuses to do anything about it, and it is based in the US, try the FTC. If it is a bank, try the FDIC. Try to find an organization to which they must answer. If you have ABSOLUTELY NO other recourse, then I think you should act on the fact that the bad guys likely already know aboutthe security hole, and as a last resort consider calling a journalist. Nothing like bad publicity to enact change in an organization :) -----Original Message-----From: listbounce () securityfocus com [mailto:listbounce () securityfocus com ] OnBehalf Of jason_jones98 () hotmail com Sent: Thursday, October 16, 2008 7:01 AM To: pen-test () securityfocus com Subject: reporting a web site breach Hi Guys. I need some advise. I was using a web site to book a service (detailswitheld) and found that i could very easily browse thousands of customerdetails i.e. name, address, phone numbers, the credit card details aremasked but just viewed source and the credit card details are cleartext along with valid from, expire and cvv number. I called the company last night to advise that they probably want to bring down their site and advise customers that their details have been potentially breached, basically they told me it would cost them too much money to go offline and that was that! I then attempted to call visa, mastercard and the high tech crime unit and none of them seem to have a process to report this type of event unless an actual crime has taken place. So for my sanity could someone advise me onthe ethical steps i should take to try and protect those customers?--- ---------------------------------------------------------------------This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report--- ------------------------------------------------------------------------ ---------------------------------------------------------------------This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report--- ---------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- reporting a web site breach jason_jones98 (Oct 16)
- RE: reporting a web site breach Prodigi Child (Oct 16)
- RE: reporting a web site breach Bob Woods (Oct 16)
- Message not available
- Fwd: reporting a web site breach Geoff Brunkhorst (Oct 16)
- Re: reporting a web site breach Anthony Cicalla (Oct 16)
- Re: reporting a web site breach David Glosser (Oct 16)
- Re: reporting a web site breach Jason Ross (Oct 17)
- Re: reporting a web site breach David Glosser (Oct 17)
- Re: reporting a web site breach Email Cash (Oct 17)
- RE: reporting a web site breach Nick Vaernhoej (Oct 17)
- RE: reporting a web site breach Prodigi Child (Oct 16)
- Re: reporting a web site breach Chris Finley (Oct 20)
- Re: reporting a web site breach Dotzero (Oct 20)
- Re: reporting a web site breach David Glosser (Oct 20)
- <Possible follow-ups>
- reporting a web site breach jason_jones98 (Oct 17)