A letter is sent out to customers, stating that although there was a breach, the really important data, such as customer birthdates, Social Security Numbers and so on were not seen, while less critical data like names and addresses might have been viewed (although this means that “Personally Identifiable Information” was copied).
The hope is apparently that customers will believe that data storage was compartmentalized with progressively escalated security measures.
Last week I passed on an opportunity to attend a 2-day seminar on ethical hacking, which made me realize that this information is becoming very accessible.
Small wonder therefore to see the rash of attacks against numerous corporate and government websites, such as the CIA or the International Monetary Fund:
Equally important is, what happens once an intruder is inside?
Having personally received such letters from several card issuers, I can say that none of them even claim that any data was encrypted.I would have thought that the best public relations stance would be to state that fact.However, since some data was exposed, the more likely scenario is that some companies used no encryption at all.In other words, there was no second line of defense.
art_id=3736 Many of these cyber-attacks apparently used SQL injection to get past firewalls or network perimeter security.
In the case of the Lulz Sec group, a 19-year-old member just arrested was alleged to have breached a British law enforcement system, for motives that are unclear.