Re: reporting a web site breach



if they process credit card numbers get in touch with the pci data
security council.

On Thu, Oct 16, 2008 at 12:58 PM, Prodigi Child <prodigi.child@xxxxxxxxx> wrote:
If the company refuses to do anything about it, and it is based in the US,
try the FTC. If it is a bank, try the FDIC. Try to find an organization to
which they must answer. If you have ABSOLUTELY NO other recourse, then I
think you should act on the fact that the bad guys likely already know about
the security hole, and as a last resort consider calling a journalist.
Nothing like bad publicity to enact change in an organization :)

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of jason_jones98@xxxxxxxxxxx
Sent: Thursday, October 16, 2008 7:01 AM
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: reporting a web site breach

Hi Guys.

I need some advise. I was using a web site to book a service (details
witheld) and found that i could very easily browse thousands of customer
details i.e. name, address, phone numbers, the credit card details are
masked but just viewed source and the credit card details are cleartext
along with valid from, expire and cvv number. I called the company last
night to advise that they probably want to bring down their site and advise
customers that their details have been potentially breached, basically they
told me it would cost them too much money to go offline and that was that! I
then attempted to call visa, mastercard and the high tech crime unit and
none of them seem to have a process to report this type of event unless an
actual crime has taken place. So for my sanity could someone advise me on
the ethical steps i should take to try and protect those customers?

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------



Relevant Pages

  • RE: reporting a web site breach
    ... that includes personal information shall disclose any breach of the ... masked but just viewed source and the credit card details are cleartext ... Security Trends Report from Cenzic ...
    (Pen-Test)
  • Re: reporting a web site breach
    ... masked but just viewed source and the credit card details are cleartext ... Security Trends Report from Cenzic ...
    (Pen-Test)
  • Re: My Frustrations
    ... A customer being faked will not probably be reading this ... ourselves by requiring licensing. ... Security Trends Report from Cenzic ...
    (Pen-Test)
  • Re: My Frustrations
    ... A customer being faked will not probably be reading this ... ourselves by requiring licensing. ... Security Trends Report from Cenzic ...
    (Pen-Test)
  • Re: My Frustrations
    ... Not sure if that argument is sufficient to justify licensing but figured I'd at least clarify the distinction. ... does create a negative reputation for the profession as a whole. ... Security Trends Report from Cenzic ...
    (Pen-Test)