The 2009 Data Breach Hall of Shame

CIO Article on 2009 Data Breaches

If there was anything even vaguely comforting about the data breaches that were announced this year, it was that many of them stemmed from familiar and downright mundane security failures.

What does this say or speak loudly of?  Is it about Competence or Incompetence?  I don’t really think so.  Overall, it is about a lack of “dogged, stick-to-it-iveness”.  What does that mean?  I am certain that all the named organizations on this list have highly competent practitioners in their IT space.  Certainly there may be exceptions. 

I have found through many, many year of hands-on experience that it isn’t always about the level of technical competence.  Most of the time, it is about the burning desire to ALWAYS get it right.  Is this type of discipline possible or warranted for every aspect of Technology Management?  Well, in an ideal environment called “Nirvana”, maybe.  In real life, it just isn’t practical.  As a result, some Technology disciplines such as Security, Data Privacy, etc. absolutely require that kind of commitment and effort.

For example, if I were build a submarine and I had the best Screen Door2engineers / practitioners in the world, but the Project Manager decided to put in a screen door, overall, a small detail, but  completely defeats the concept of a secured and air-tight perimeter. You can use the same example for corporate network access.  If you secure 99% and one rogue sales office adds a DSL modem without proper security, you will get the same affect of the screen-door in the submarine.

Heartland makes the list simply by virtue of the spectacular size and scope of the data breach it disclosed in January.

The compromise stemmed from SQL injection errors that allowed hackers to break into the payment processor’s networks and steal data on approximately 130 million credit and debit cards over several months.

It gave Heartland the dubious distinction of having announced the largest ever data breach in history.

TAKEAWAY: 130 million credit card records were in the open.  Was it one of yours? Technical Competency must be augmented with strict levels of effort and commitment in order to be effective.

Caesar si viveret, ad remum dareris
(If Caesar were alive, you’d be chained to an oar)



1 Comment

Filed under IT, PCI, Privacy, Risk Management, security, Technology

One response to “The 2009 Data Breach Hall of Shame


    As an IT Internal Auditor, I have witnessed over and over again systems, networks, applications and security programs with the back door wide open. For new systems, most of the security breaches were due management wanting the system work with the least amount of glitches. Their remedy for any glitch was to allow supervisors and key users to make on the spot corrections. Most users pick up on this control weakness and some take advantage of it. For old legacy systems, security associates or program analysts occassionally make program changes using priviledged codes and they often forget to re-close the security access or they may purposely leave the access door open. In either case this is an open door to allow fraud to occur. My advise to management is to insure an internal auditor is assigned to all critical project management teams as an adviser of security and internal controls. And this auditor involvement should include the complete SDLC life cycle.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s