Re: reporting a web site breach



so, you are suggesting, at a minimum, the web site should pay for free
credit reports and optional credit-freezes for all customers as part
of this class-action... hmmmm....


On Sun, Oct 19, 2008 at 7:04 PM, Chris Finley <cfinley@xxxxxxxxxxxxxxxx> wrote:

Should Jason file a class-action lawsuit on behalf of the customers of
the site?
Hear me out :)

He said that he is a customer of the web site, so now his data is
exposed, along with many other customers.

The data may have been stolen already, a goal of the lawsuit should be
to determine this, for the benefit of the site's customers.

A minimum level of protection for personal and financial information can
be expected from customers of a web site.

The owner feels the financial losses from fixing the security issue
(downtime) outweighs the risk to the customers. Until this changes,
security will be poor. The site owner should have some fear that
exposing customers to risk will have a financial cost.

Your responses are appreciated,
Chris


On Thu, 2008-10-16 at 21:12 -0400, acey deucey wrote:
I think Jason has done more than his duty. I second calling a
reporter. That will certainly get some atention. Hell, contact 10
reporters.


On Oct 16, 2008, at 15:58, "Prodigi Child" <prodigi.child@xxxxxxxxx>
wrote:

If the company refuses to do anything about it, and it is based in
the US,
try the FTC. If it is a bank, try the FDIC. Try to find an
organization to
which they must answer. If you have ABSOLUTELY NO other recourse,
then I
think you should act on the fact that the bad guys likely already
know about
the security hole, and as a last resort consider calling a journalist.
Nothing like bad publicity to enact change in an organization :)

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx
] On
Behalf Of jason_jones98@xxxxxxxxxxx
Sent: Thursday, October 16, 2008 7:01 AM
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: reporting a web site breach

Hi Guys.

I need some advise. I was using a web site to book a service (details
witheld) and found that i could very easily browse thousands of
customer
details i.e. name, address, phone numbers, the credit card details are
masked but just viewed source and the credit card details are
cleartext
along with valid from, expire and cvv number. I called the company
last
night to advise that they probably want to bring down their site and
advise
customers that their details have been potentially breached,
basically they
told me it would cost them too much money to go offline and that was
that! I
then attempted to call visa, mastercard and the high tech crime unit
and
none of them seem to have a process to report this type of event
unless an
actual crime has taken place. So for my sanity could someone advise
me on
the ethical steps i should take to try and protect those customers?




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------



Relevant Pages

  • Re: OT-Free Credit Report for yourself
    ... annualcreditreport.com is the only authorized web site ... which gives consumers their own credit report free of charge. ... AnnualCreditReport.com is a cooperative effort of the 3 credit bureaus to ... to 2 free credit reports from each bureau each year. ...
    (misc.transport.trucking)
  • Dont want to show duplicates, and want to show how many clients
    ... I'm doing a report of the customers who log on my web site in a day. ... the clients log twice or more in a single day. ...
    (microsoft.public.access.queries)
  • Dont want to show duplicates, and want to show how many clients
    ... I'm doing a report of the customers who log on my web site in a day. ... the clients log twice or more in a single day. ...
    (microsoft.public.access.queries)
  • Re: IIF statement in text box
    ... different part of the report. ... account balance is $XX.XXX" for customers who have a balance due. ... Now what will you do if the balance is exactly .01, or even a credit ...
    (microsoft.public.access.tablesdbdesign)
  • RE: Error on page in RMonitoring report
    ... since you still receive the monitoring report of ... Unassigned Internet Protocol address for the default Web site in IIS. ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)