Yawn.....Another multi-million dollar data breach

[xoxoxoBruce]

Mitch, do you have a feeling for whether this Heartland fuck up was lazy IT people, or management cutting IT to the bone for the bottom line?

[mbpark]

Bruce,

I think both, with an emphasis on lazy IT people, because systems like this are very hard to set up, and are why InfoSec people make a lot of money.

You just don't cut the budgets for this unless you're very stupid. It makes no sense.

Then again, knowing some of the middle managers I deal with in IT, nothing they do makes sense to anyone but themselves.

Mitch

Quote:

Originally Posted by xoxoxoBruce

Mitch, do you have a feeling for whether this Heartland fuck up was lazy IT people, or management cutting IT to the bone for the bottom line?

[richlevy]

Quote:

Originally Posted by mbpark

Then again, knowing some of the middle managers I deal with in IT, nothing they do makes sense to anyone but themselves.

The funny thing is that this is 2 years after the TJX computer intrusion, which cost that company 256 million dollars!! So with all of that history, and considering that, unlike TJX, their entire company is built around computer data, one would think that they would be hyper-secure.

Well, it appears that there is significant progress in the Heartland case. The company has created a website to inform the public. Note the use of the word unencrypted. They are not saying that PIN numbers weren't taken, just that if they were they were encrypted.

I am so glad that California and then Congress passed a law requiring notification in cases like this. Does anyone want to bet on whether TJX and Heartland would have announced the breach if they weren't forced to by law?

Quote:

No confidential merchant data, Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were retrieved in what is believed to be a global cyber-fraud operation. Heartland does not yet know how many card numbers were obtained. Many reports in the press are speculative.

Consumers will know if their card account numbers have been used by reviewing their monthly statements. Cardholders should report suspicious activity to their issuing banks (the bank that issued the card, not the card brand). If unauthorized use is confirmed, cardholders are reimbursed for the fraudulent purchases and are not held financially responsible.

[mbpark]

They didn't say what method was used to encrypt the data. ROT-13 doesn't count .

Then again, PIN numbers are encrypted at the keypad level these days, at least that is good for ATM cards. Credit cards are a whole other deal. That provides these people little comfort. What other data do they have?

TJX and Heartland would have said nothing unless they had to legally. You and I know that some middle management type looking to save a buck and make himself look good by either screwing other people, his subordinates, consultants, or even his bosses was probably the genesis.

And you know that in many places in Corporate America, such behavior would be rewarded positively for innovation. Other places would find such a manager mysteriously "resigning" and ending up at another place, or quietly "out of the industry". Dilbert is a documentary in this regard.

Like I said, I deal with middle management a lot. Never before have I seen people so willing to screw each other blind and bitch over petty little things instead of working to get things done. I thought things were bad when I spent most of my time working on the tech side of the house instead of management.

I've seen enough of this to believe that petty infighting and the blame game had a significant contribution to this unfortunate incident. Now a company is probably going to go under because some middle manager in charge of network security had a grudge with the DBAs.

[tw]

Quote:

Originally Posted by mbpark

I've seen enough of this to believe that petty infighting and the blame game had a significant contribution to this unfortunate incident. Now a company is probably going to go under because some middle manager in charge of network security had a grudge with the DBAs.

Sometimes, infighting was observed as a symptom of management that did not know how the work got done. Had no idea what employees were doing; no clue as to how to provide the necessary attitude and knowledge; did not even know employees were not doing security.

Not only could the boss not provide necessary management support. But his technical ignorance also made cooperation impossible. If he cooperated, then others might realize how little he really knew about what his employees did and could do.

Well, the reporter can only ask the president and company spokesperson why failures happened. Obviously the reporter cannot get an answer. If they knew, then the problem would not have existed in the first place. So we are left to only speculate or await the employee blogs.