Re: reporting a web site breach

[Chris Finley <cfinley () u washington edu>]

Should Jason file a class-action lawsuit on behalf of the customers of
the site?
Hear me out :)

He said that he is a customer of the web site, so now his data is
exposed, along with many other customers.

The data may have been stolen already, a goal of the lawsuit should be
to determine this, for the benefit of the site's customers.

A minimum level of protection for personal and financial information can
be expected from customers of a web site.

The owner feels the financial losses from fixing the security issue
(downtime) outweighs the risk to the customers. Until this changes,
security will be poor. The site owner should have some fear that
exposing customers to risk will have a financial cost.

Your responses are appreciated,
Chris


On Thu, 2008-10-16 at 21:12 -0400, acey deucey wrote:
> I think Jason has done more than his duty. I second calling a  
> reporter. That will certainly get some atention. Hell, contact 10  
> reporters.
>
>
> On Oct 16, 2008, at 15:58, "Prodigi Child" <prodigi.child () gmail com>  
> wrote:
>
> > If the company refuses to do anything about it, and it is based in  
> > the US,
> > try the FTC. If it is a bank, try the FDIC. Try to find an  
> > organization to
> > which they must answer. If you have ABSOLUTELY NO other recourse,  
> > then I
> > think you should act on the fact that the bad guys likely already  
> > know about
> > the security hole, and as a last resort consider calling a journalist.
> > Nothing like bad publicity to enact change in an organization :)
> >
> > -----Original Message-----
> > From: listbounce () securityfocus com [mailto:listbounce () securityfocus com 
> > ] On
> > Behalf Of jason_jones98 () hotmail com
> > Sent: Thursday, October 16, 2008 7:01 AM
> > To: pen-test () securityfocus com
> > Subject: reporting a web site breach
> >
> > Hi Guys.
> >
> > I need some advise. I was using a web site to book a service (details
> > witheld) and found that i could very easily browse thousands of  
> > customer
> > details i.e. name, address, phone numbers, the credit card details are
> > masked but just viewed source and the credit card details are  
> > cleartext
> > along with valid from, expire and cvv number. I called the company  
> > last
> > night to advise that they probably want to bring down their site and  
> > advise
> > customers that their details have been potentially breached,  
> > basically they
> > told me it would cost them too much money to go offline and that was  
> > that! I
> > then attempted to call visa, mastercard and the high tech crime unit  
> > and
> > none of them seem to have a process to report this type of event  
> > unless an
> > actual crime has taken place. So for my sanity could someone advise  
> > me on
> > the ethical steps i should take to try and protect those customers?


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------