Comments on: Data Security as a Customer Satisfaction Tool http://jeffnolan.com/wp/2006/10/15/data-security-as-a-customer-satisfaction-tool/ Jeff Nolan's take on investment, innovation, entrepreneurship and the technology industry Mon, 06 Feb 2012 06:44:37 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Andrew Fife http://jeffnolan.com/wp/2006/10/15/data-security-as-a-customer-satisfaction-tool/comment-page-1/#comment-33231 Andrew Fife Wed, 18 Oct 2006 05:57:41 +0000 http://jeffnolan.com/wp/2006/10/15/data-security-as-a-customer-satisfaction-tool/#comment-33231 Jeff: to clarify, I highly doubt that your data was stolen by an elite attacker. More likely, Autobahn fell behind on patches and got nailed by someone using one of many exploit technique/scripts that are widely available and described in detail on the web. What I actually find more amazing is that Autobahn Motors did find out about the attack. My guess is that a system crashed and that it otherwise would have gone undetected. Having worked as a security consultant I have seen first hand how backwards many IT networks are. In one instance a major consumer brand contacted us after having had a security incident. To give you an idea of magnitude in their own words, they were down for about an hour and lost $1M in ecommerce revenue. While performing our forensic analysis, our security engineers discovered that the organization did not have a firewall and the exploit technique used had had a patch available for 4 years. It was a real eye-opener. I would be willing to bet that at least 10% of the Fortune 1000 are far enough behind on security patches that their security perimeters could be exploited easily. As a general rule, SMBs are basket cases when it comes to security. -Andrew Jeff:
to clarify, I highly doubt that your data was stolen by an elite attacker. More likely, Autobahn fell behind on patches and got nailed by someone using one of many exploit technique/scripts that are widely available and described in detail on the web. What I actually find more amazing is that Autobahn Motors did find out about the attack. My guess is that a system crashed and that it otherwise would have gone undetected.

Having worked as a security consultant I have seen first hand how backwards many IT networks are. In one instance a major consumer brand contacted us after having had a security incident. To give you an idea of magnitude in their own words, they were down for about an hour and lost $1M in ecommerce revenue. While performing our forensic analysis, our security engineers discovered that the organization did not have a firewall and the exploit technique used had had a patch available for 4 years. It was a real eye-opener.

I would be willing to bet that at least 10% of the Fortune 1000 are far enough behind on security patches that their security perimeters could be exploited easily. As a general rule, SMBs are basket cases when it comes to security.
-Andrew

]]> By: Jeff Nolan http://jeffnolan.com/wp/2006/10/15/data-security-as-a-customer-satisfaction-tool/comment-page-1/#comment-33197 Jeff Nolan Wed, 18 Oct 2006 01:05:29 +0000 http://jeffnolan.com/wp/2006/10/15/data-security-as-a-customer-satisfaction-tool/#comment-33197 Imagine this, found on jluster.org: "A few days ago, via email, I received a complete set of tax information for the years 2000 to 2005 for some other jluster. I won't mention his name, but he seems to be a fat fish, making close to a mill a year. I am now, completely, in possession of his life - social security, address, birth date, taxpayer IDs, employer information, birth dates, visa card numbers (for payment to the lawyer who sent the emails to the wrong person), and more." Imagine this, found on jluster.org:

“A few days ago, via email, I received a complete set of tax information for the years 2000 to 2005 for some other jluster. I won’t mention his name, but he seems to be a fat fish, making close to a mill a year. I am now, completely, in possession of his life – social security, address, birth date, taxpayer IDs, employer information, birth dates, visa card numbers (for payment to the lawyer who sent the emails to the wrong person), and more.”

]]> By: Paul J. http://jeffnolan.com/wp/2006/10/15/data-security-as-a-customer-satisfaction-tool/comment-page-1/#comment-33194 Paul J. Wed, 18 Oct 2006 00:54:57 +0000 http://jeffnolan.com/wp/2006/10/15/data-security-as-a-customer-satisfaction-tool/#comment-33194 OK, as the 5th comment states maybe Autobahn was not the type of business to go out and spend tons of money on security (well maybe Autobahn should but other SMB's won't) yet imagine how pissed off I was when E&Y who used to prepare my taxes had my electronic information stolen because it was on someone's laptop and was sniped out of his car. Myself and a couple other thousand customers were effected and even more humiliating was the fact that the hotline set up wasn't usable for U.S. residents living outside the U.S. nor were any of the credit monitoring services offered for free online possible to set up if outside the U.S. Well, my business is now gone from them and I am sure they lost a ton of other customers. This issue is going to only escalate in the future as more and more people have this information stolen. OK, as the 5th comment states maybe Autobahn was not the type of business to go out and spend tons of money on security (well maybe Autobahn should but other SMB’s won’t) yet imagine how pissed off I was when E&Y who used to prepare my taxes had my electronic information stolen because it was on someone’s laptop and was sniped out of his car. Myself and a couple other thousand customers were effected and even more humiliating was the fact that the hotline set up wasn’t usable for U.S. residents living outside the U.S. nor were any of the credit monitoring services offered for free online possible to set up if outside the U.S. Well, my business is now gone from them and I am sure they lost a ton of other customers. This issue is going to only escalate in the future as more and more people have this information stolen.

]]> By: Jeff http://jeffnolan.com/wp/2006/10/15/data-security-as-a-customer-satisfaction-tool/comment-page-1/#comment-33085 Jeff Tue, 17 Oct 2006 14:24:01 +0000 http://jeffnolan.com/wp/2006/10/15/data-security-as-a-customer-satisfaction-tool/#comment-33085 Okay Andrew, fair enough. However, Autobahn was smart enough to identify when someone was attacking their system and stealing my data... and then shut it down. In thinking through this, I think that when these things happen the business in question should be obligated to disclose what the vulnerability that was exploited just to determine how "elite" the data thief really was. Also, this is not Billy Bob's Used Car Emporium, it's one of the largest Merceded dealerships in the country and, I believe, part of the Sonnen Auto Group (but I could be wrong about that). This is not your typical SMB and considering that nature of the data they collect I would have expected more. To your last point, which is a really good one, once they have my financial data and use it accordingly, the transaction is done and they should then destroy it. Okay Andrew, fair enough. However, Autobahn was smart enough to identify when someone was attacking their system and stealing my data… and then shut it down. In thinking through this, I think that when these things happen the business in question should be obligated to disclose what the vulnerability that was exploited just to determine how “elite” the data thief really was.

Also, this is not Billy Bob’s Used Car Emporium, it’s one of the largest Merceded dealerships in the country and, I believe, part of the Sonnen Auto Group (but I could be wrong about that). This is not your typical SMB and considering that nature of the data they collect I would have expected more. To your last point, which is a really good one, once they have my financial data and use it accordingly, the transaction is done and they should then destroy it.

]]> By: Andrew Fife http://jeffnolan.com/wp/2006/10/15/data-security-as-a-customer-satisfaction-tool/comment-page-1/#comment-32990 Andrew Fife Tue, 17 Oct 2006 06:29:30 +0000 http://jeffnolan.com/wp/2006/10/15/data-security-as-a-customer-satisfaction-tool/#comment-32990 Jeff: there is no such thing as electronic data security. The elite attackers can get into anything that they want to. Thankfully, there aren't many of these people. The real problem is that car dealerships shouldn't be handling (or at least not storing) personal finanical information. Its not realistic for a car dealership with otherwise extremely basic computing needs to invest in the labor, hardware and policy it takes to meet the (vague) standards that the GLBA, CA SB-1386 and AB-1950 establish. I don't know what the solution is but I suspect there are many SMBs with employees' and customers' personal information that they really are not equipped to manage. -Andrew Jeff:
there is no such thing as electronic data security. The elite attackers can get into anything that they want to. Thankfully, there aren’t many of these people. The real problem is that car dealerships shouldn’t be handling (or at least not storing) personal finanical information. Its not realistic for a car dealership with otherwise extremely basic computing needs to invest in the labor, hardware and policy it takes to meet the (vague) standards that the GLBA, CA SB-1386 and AB-1950 establish. I don’t know what the solution is but I suspect there are many SMBs with employees’ and customers’ personal information that they really are not equipped to manage.
-Andrew

]]> By: Jeff http://jeffnolan.com/wp/2006/10/15/data-security-as-a-customer-satisfaction-tool/comment-page-1/#comment-32896 Jeff Mon, 16 Oct 2006 20:23:35 +0000 http://jeffnolan.com/wp/2006/10/15/data-security-as-a-customer-satisfaction-tool/#comment-32896 Interesting observation. Interesting observation.

]]> By: johnrob http://jeffnolan.com/wp/2006/10/15/data-security-as-a-customer-satisfaction-tool/comment-page-1/#comment-32867 johnrob Mon, 16 Oct 2006 17:02:43 +0000 http://jeffnolan.com/wp/2006/10/15/data-security-as-a-customer-satisfaction-tool/#comment-32867 A relevant phrase I once saw on PayPal's website: "Make payments without giving up your financial information". Perhaps an underhyped advantage for PayPal. A relevant phrase I once saw on PayPal’s website:
“Make payments without giving up your financial information”.
Perhaps an underhyped advantage for PayPal.

]]> By: Jeff http://jeffnolan.com/wp/2006/10/15/data-security-as-a-customer-satisfaction-tool/comment-page-1/#comment-32838 Jeff Mon, 16 Oct 2006 13:39:26 +0000 http://jeffnolan.com/wp/2006/10/15/data-security-as-a-customer-satisfaction-tool/#comment-32838 yeah, no shit. The first step in the "how to protect yourself" brochure should be "only do business with companies that safeguard your personal and confidential information". yeah, no shit. The first step in the “how to protect yourself” brochure should be “only do business with companies that safeguard your personal and confidential information”.

]]> By: Frank Koehntopp http://jeffnolan.com/wp/2006/10/15/data-security-as-a-customer-satisfaction-tool/comment-page-1/#comment-32782 Frank Koehntopp Mon, 16 Oct 2006 08:22:21 +0000 http://jeffnolan.com/wp/2006/10/15/data-security-as-a-customer-satisfaction-tool/#comment-32782 Pointing you to ressources preventing identity theft is the real joke ;) Pointing you to ressources preventing identity theft is the real joke ;)

]]>