lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAH8yC8=jGHmqR5vG92EKGuE=dNPZb5yqoaHLxR9eD+sJfW0UGA@mail.gmail.com>
Date: Mon, 17 Mar 2014 12:37:14 -0400
From: Jeffrey Walton <noloader@...il.com>
To: Kristian Erik Hermansen <kristian.hermansen@...il.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Bank of the West security contact?

On Mon, Mar 17, 2014 at 12:15 PM, Kristian Erik Hermansen
<kristian.hermansen@...il.com> wrote:
> Just wanted to post a follow-up to this and provide some context to
> make it known:
>
> * Bank of the West was contacted in 2011 to report a security issue
>
> * No response for 2 years
>
> * In late 2013, I receive a breach notification saying my own
> sensitive personal information was compromised via the EXACT SAME
> ISSUES I REPORTED. I also am led to believe employee information was
> compromised, which may include Social Security Number (SSN) details.
>
> Conclusions?
>
> * Bank of the West has NO WORKING SECURITY REPORTING MECHANISM for
> outside researchers and NO BUG BOUNTY PROGRAM
>
> * Bank of the West does not seem to take security and privacy
> seriously enough, as far as I can tell
>
> You should know this if you are an existing or potential customer /
> employee of Bank of the West...
The risk equations favor "do nothing". Its cost effective to simply
persue profits and not spend money on data security.

If (when) they are breached, it only costs them the cost of a
notification. In the US, that's the cost of bulk mail [0]. 46 states,
DC, and Territories have Data Breach laws, and nearly none (none?)
have any useful provisions for damages. [1]

You can't recover for your time lost or services like credit
monitoring. Every class action get tossed out [2]. I've never seen one
go to court, and I've been watching them for years.

In the US, the risk equations must be unbalanced (or swayed to favor
of the consumer, who is the ultimate victim). That will take a policy
change. However, that likely won't happen as long as corporate america
and special interest purchase and trade politicians like sports
trading cards.

(I've been watching data breaches and responses for years because I
got burned somehow and it cost me over 10K to fix in the 1990s. I
never got a notification. I found out after I got sued for unpaid
bills and the collection agencies contacted me).

Jeff

[0] http://pe.usps.com/businessmail101/rates/welcome.htm
[1] State Security Breach Notification Laws,
http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx
[2] Once Again, Clapper Defeats Data Breach Class Action,
http://www.mondaq.com/unitedstates/x/294324/Data+Protection+Privacy/Once+Again+Clapper+Defeats+Data+Breach+Class+Action

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ