Re: reporting a web site breach

[Jason <securitux () gmail com>]

Hi all.

Jason, it is actually very shocking how the police will react to
something like this. I have been working with several incidents
involving a credit card breach and the only way the police will get
involved is if the credit card is used fraudulently. Actual theft of
the data is not a concern apparently. Nor is selling the data to a
Russian website which sells stolen credit cards. At least that's my
experience with law enforcement in the matter.

Ok with respect to reporting it to the media, although this gets into
the whole argument of responsible disclosure vs. full disclosure, we
don't live in an ideal world. The real reality is the company could
come after you. You might be looked at as someone who did something
malicious and the word 'malicious' is all up to interpretation when it
comes to security breaches. Just look at some of the news articles on
people who have been sued / convicted successfully doing things so
minor that it was hardly worth the effort. And the US is all about
sue, sue, sue. I don't know if you want to risk it. Unless you are
required by law to reveal this issue, as per Bob's comment. PCI is not
a legal issue, it's a contractual obligation between a merchant and
their acquiring bank. Privacy might be the angle you could play here
as that IS a legal issue.

If breached they will be in a whole heap of trouble that is for sure.
Not only will they be HEAVILY fined they will STILL have to become PCI
compliant and this time they will be audited rigorously at their
expense for years to come. That being said if their acquiring bank
isn't requiring PCI compliance from them, the bank will be in trouble.

I think you have done everything you can and more, like others have
said, without sticking your own neck out too much. I wouldn't stick it
out much further at the moment.

And yes, PCI SSC is just a standards organization and will not fine
anyone, it is up to the merchant's acquiring bank to levy consequences
on the merchant. If the bank doesn't require PCI compliance, and
there's a breach, the bank will get the fine from VISA, AMEX, etc.
Part of the PCI requirements are that you must have 3rd party
agreements with all merchants to be PCI compliant. Not having these
agreements is a failure to be PCI compliant and the bank will be
nailed by the majors. In addition, a bank cannot just say "please be
compliant" and that's it. They have to make sure the merchants are
compliant. You can delegate the work but you cannot delegate the
responsibility. In addition, a fine can be levied at any point,
whether by the merchant failing an audit, a breach taking place, the
bank finding out the merchant has not held up to its agreement (if
there is an agreement), etc.

-J

On Thu, Oct 16, 2008 at 8:01 AM,  <jason_jones98 () hotmail com> wrote:
> Hi Guys.
>
> I need some advise. I was using a web site to book a service (details witheld) and found that i could very easily 
> browse thousands of customer details i.e. name, address, phone numbers, the credit card details are masked but just 
> viewed source and the credit card details are cleartext along with valid from, expire and cvv number. I called the 
> company last night to advise that they probably want to bring down their site and advise customers that their details 
> have been potentially breached, basically they told me it would cost them too much money to go offline and that was 
> that! I then attempted to call visa, mastercard and the high tech crime unit and none of them seem to have a process 
> to report this type of event unless an actual crime has taken place. So for my sanity could someone advise me on the 
> ethical steps i should take to try and protect those customers?
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Security Trends Report from Cenzic
> Stay Ahead of the Hacker Curve!
> Get the latest Q2 2008 Trends Report now
>
> www.cenzic.com/landing/trends-report
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------