Re: [ISN] Feds pursue secrecy for corporate victims of hacking

From: InfoSec News (isnat_private)
Date: Thu Nov 07 2002 - 02:47:20 PST

  • Next message: InfoSec News: "[ISN] Security UPDATE, November 6, 2002"

    Forwarded from: Mark Randall <markusat_private>
    On Sunday, November 3, 2002, at 10:30  PM, InfoSec News wrote:
    > Forwarded from: hugginsat_private
    > Let me see if I get this right
    > I'm xyz bank I haven't taken the initiative to hire a security
    > mangaer or have hired one but, pay them minimum, they tell me I need
    > to fix security holes I say nah to expensive.  I get hacked, my user
    > data base and credit card information is stolen.  Numerous account
    > users identities are stolen but, because I report it to the FBI I
    > dont need to disclose it to my stake holders, or customers at will.  
    > Hmmm! sounds great rob me again.
    Aww, c'mon now.  It's at least a step in the right direction.
    I remember a couple of years ago, hearing about some eastern bank
    (taiwan?  bankok?) that was hacked and lost $50 million.  It wasn't
    noticed right away, but when they DID find out, all they could tell
    was that $50 million had been transferred to a swiss account, but
    within 24 hours, the funds had been further transferred elsewhere.  
    The bank decided not to investigate further, for fear that widespread
    news of the hack would shake their customer's confidence and end up
    being more damaging.
    I still find it hard to grasp that something as intangible as
    professional reputation can tip the scales enough to let somebody walk
    with $50M.
    Anyway, my point is simply that many businesses are not going to tell
    their investors and/or customers anyway...and this tight-lipped stance
    of not reporting usually goes on to prosecutorial or investigative
    agencies as well.  So, if they can work out an anonymous system
    whereby the company can at least disclose details to an investigative
    agency or one that can help with preservation of forensic evidence for
    prosecution, etc...then at least that's a step in the right direction.
    Sure, they're not likely to disclose such details to their customers
    and/or investors, but hey....what can you expect?
       Mark Randall
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Nov 07 2002 - 05:04:10 PST