Re: reporting a web site breach

I would think Jason would want to be very careful about filing a
lawsuit. Depending on what actions he took in determining that issues
exist and the jurisdiction, he may be subject to a countersuit. And
remember, discovery can be a very extensive process.

Just my 2 cents.

On Sun, Oct 19, 2008 at 7:04 PM, Chris Finley <cfinley@xxxxxxxxxxxxxxxx> wrote:

Should Jason file a class-action lawsuit on behalf of the customers of
the site?
Hear me out :)

He said that he is a customer of the web site, so now his data is
exposed, along with many other customers.

The data may have been stolen already, a goal of the lawsuit should be
to determine this, for the benefit of the site's customers.

A minimum level of protection for personal and financial information can
be expected from customers of a web site.

The owner feels the financial losses from fixing the security issue
(downtime) outweighs the risk to the customers. Until this changes,
security will be poor. The site owner should have some fear that
exposing customers to risk will have a financial cost.

Your responses are appreciated,
Chris


On Thu, 2008-10-16 at 21:12 -0400, acey deucey wrote:
I think Jason has done more than his duty. I second calling a
reporter. That will certainly get some atention. Hell, contact 10
reporters.


On Oct 16, 2008, at 15:58, "Prodigi Child" <prodigi.child@xxxxxxxxx>
wrote:

If the company refuses to do anything about it, and it is based in
the US,
try the FTC. If it is a bank, try the FDIC. Try to find an
organization to
which they must answer. If you have ABSOLUTELY NO other recourse,
then I
think you should act on the fact that the bad guys likely already
know about
the security hole, and as a last resort consider calling a journalist.
Nothing like bad publicity to enact change in an organization :)

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx
] On
Behalf Of jason_jones98@xxxxxxxxxxx
Sent: Thursday, October 16, 2008 7:01 AM
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: reporting a web site breach

Hi Guys.

I need some advise. I was using a web site to book a service (details
witheld) and found that i could very easily browse thousands of
customer
details i.e. name, address, phone numbers, the credit card details are
masked but just viewed source and the credit card details are
cleartext
along with valid from, expire and cvv number. I called the company
last
night to advise that they probably want to bring down their site and
advise
customers that their details have been potentially breached,
basically they
told me it would cost them too much money to go offline and that was
that! I
then attempted to call visa, mastercard and the high tech crime unit
and
none of them seem to have a process to report this type of event
unless an
actual crime has taken place. So for my sanity could someone advise
me on
the ethical steps i should take to try and protect those customers?




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------

Relevant Pages

  • RE: reporting a web site breach
    ... If the company refuses to do anything about it, and it is based in the US, ... masked but just viewed source and the credit card details are cleartext ... customers that their details have been potentially breached, ... Security Trends Report from Cenzic ...
    (Pen-Test)
  • Re: My Frustrations
    ... You need a channel to reach this second kind of customers, ... ourselves by requiring licensing. ... Security Trends Report from Cenzic ...
    (Pen-Test)
  • OT: Re: ?Google rules, whos poured more money into useNet ?
    ... For example, if 20,000 customers visit your web site 100,000 times to view, print and download the information they require about your company, the web site remains unaffected. ... Compare this to the cost of printing and sending a full colour brochure to 20,000 customers and you can see the huge cost advantage. ... having a web site means your target audience immediately expands to cover Internet users world-wide whether these users are potential new customers or business partners/resellers. ...
    (sci.physics)
  • Re: reporting a web site breach
    ... credit reports and optional credit-freezes for all customers as part ... He said that he is a customer of the web site, ... details i.e. name, address, phone numbers, the credit card details are ... Security Trends Report from Cenzic ...
    (Pen-Test)
  • Re: My Frustrations Step Two
    ... Actually, this should be done anyway as part of the initial contact with the client, defining the role that the pen tester will take and the scope that is suitable and expected. ... Proposal) and steer customers to use it as contractual clauses. ... Security Trends Report from Cenzic ...
    (Pen-Test)