The ongoing saga with STRATFOR indicates that the computer security breach may have been more extensive than previously knows, because their website is still down 10 days after the attack.
One would think that a respected, global security company should have been better able to keep their data secure, UNFORTUNATELY, this problem is more pervasive than one would admit.
First of all, it is important to understand that while the upper executives should be blamed, it is also important to look at the entire picture. Management executives are not generally involved in day-to-day technical security concerns. This is why they designate others such as CIO’s or CTO’s this task. It appears to me one of these may have dropped their guard or become complacence. First of all, people in charge of this should be removed immediately from their tasks till full investigation has been completed.
I bet that right now, most people who are responsible for their computer security procedures are pretty smug about their own computer security model. Yet, I am willing to bet that many of them have no clue on the day to day workings and how open they really are from computer security threats. There are way too many companies out there that believe that if they have a firewall, they don’t need any computer security procedures. They are often complacent about computer security threats. Here is an easy way to find out whether personally identifiable customer information is truly encrypted and secure: call up your QA Manager and inform him that you want to personally test some website features to become more familiar with them and that you need a list of existing usernames and passwords, along with social security numbers and date of births so you can simulate a customer. At this point it does not matter whether the information provided is from a production region, or a systems and integration region. Real data is after all real data, no matter what region it resides in. If your QA staff is able to provide you with anything more than usernames, you probably have a problem. Under no circumstances, should passwords be visible to ANYONE. Social security numbers and DOBs should be available on a very restricted basis. None of this info should be used to test. There are plenty of other fake data generators out there that will provide fictitious data to play with.
Based on my experiences, there are probably 6 out of 10 companies that have some personally identifiable information for their customers available in plain text in some database, ready to be queried and misused.
Do yourself and your customers a favor. Go ahead and secure this data. Yes, it will be a little inconvenient for the QA staff and developers, but that can be easily remedied. Loss of customer faith is not easily repaired.