A breach notification letter submitted this week to the Vermont Attorney General’s Office by WorldVentures Marketing had me grinding my teeth.
According to the notification to consumers, WorldVentures recently became aware of unauthorized access to their servers. The access may have occurred from October 23, 2012 through March 14, 2013. The server held customers’ credit card numbers with expiration dates. They do not indicate how they became aware of the unauthorized access.
The firm says that they do not have any evidence that the card data were extracted. Then again, do they have any firm proof it wasn’t extracted?
“We believe the risk of harm to you is low.”
If you don’t know for sure that data were not extracted, should you write that? No.
The firm did not offer affected customers any free credit monitoring services.
because you like being sued?
This is a classic in house investigation. Much like having security of your network at an all-time low on the expeditures list, the same applies to calling in experts to rummage through their network.
I can almost here some one saying:
“Thats going to cost alot of money and knock down our profit magin! Can’t we do this investigation in house? Can’t the PR people figure out how to word the responses so we don’t knee-jerk people into complaining. How can we rectify this occurence without making it look like it was a big deal ?”
There isn’t any proof data was extracted, because the people who are attempting to look for clues are – actually clueless. They way I look at it, the comanies who act as true profiteers ( somewhat close to racketeers, pirates and such) look at success only in the piles of cash they are able to produce. Risk, which most consider – is unmerited and cuts into the “bottom line”. So, how long can a company operate with minimal security controls in place before thy pants fall around their ankles?
Oh, we have a nest egg for fines. We have insurance in case an incident occurs that is beyond our control.
They also see that most class action cases crash and burn, so being sued successfully is minimal. So it’s a report it when you can, clean it up, mop and move forward. They occasionally listen for the knock on the door from an entity that may request more information or, have an intent to sue them for the way they are running their business. Most will shrug and say the stereotypical line – it was only a matter of time before they hacked us too. We’re a victim here, we were doing it the same way everybody else is doing it.
The law isn’t strict enough when it comes to the storage of personal information. Some businesses think of it like craps at the casino. There is only a small chance that your number is going to come up (in a bad way), so whil the gettin’ is good, enjoy the success at a minimal cost.
Until the CC agency slaps them silly with a hefty fine. Same with the government. There should be a mandatory, set fine per individual (person) record that was breeched. In order to lower the fine, security controls like full disk encyption, in-line IPS, a staff that is qualified, and up to date on certifications, may allow for a litle of the fine to be offset, but no more than half. the initial fine needs to sting. Otherwise its a flea bit and the shoddy businesses can afford it and pay it without doing any advances to their security program.
The technology and infrastructure is out there. It doesn’t have to cost an arm and a leg. send select IT people to courses that can use commercial off the shelf or freeware style products to secure your network. But, if it affects the bottom line, more than likely its something that won’t be funded.
The way of doing business is broke. The cow is fat and full of milk. the hackers will drink it dry before they realize it.