[Dataloss] Consumers of Hannaford Brothers Co. Supermarkets File Class Action Suit

Mike Simon msimon at creationlogic.com
Thu Mar 20 18:25:20 UTC 2008 

I've been quiet on the topic of certification, compliance and fault
based on these ideas so far, but I'm hearing some pretty strong
statements that I have problems with. The idea that a certification or
endorsement of compliance to a standard of protection should make the
certifying body responsible if data in subsequently lost seems a bit
harsh considering that the certifying agency had no control of the
operation of the compromised systems after they did their testing.
Essentially certification/compliance typically shows that at a
specific point in time the system met certain conditions - nothing
more. If the testing was never done, or it was done and the results
falsified that's one thing. Holding the auditors responsible for all
system behavior after that point in time is hard to fathom.

For me, that points to an increased need to audit IT practices in some
kind of continuous improvement loop (CMM level 5) rather than trying
to hang auditors out to dry every time someone mis configures their
firewall a few weeks after the last audit.

To answer your question, I would hold Visa responsible if they had
anything to do with falsely certifying conditions at Hannaford to be
safe, but not for putting in place a mechanism designed to improve the
overall stance of their partners and not somehow making it perfect.

On Thu, Mar 20, 2008 at 6:17 AM, Rodney <rwise29210 at gmail.com> wrote:
>
>  Wouldn't you include Visa in the discovery if they certified Rapid7? I use
> PayPal as my gateway and if anything ever happened I would sing names like
> canary.
>
>  Rodney Wise
>
>  South East Ostrich Supply
>  http://www.seostrich.com
>
>
>
>
>  On Wed, 2008-03-19 at 17:58 -0700, Mike Simon wrote:
>
>
>
> I think you're right in also considering that the product was used
> correctly and just not up to the task, which raises an interesting but
> possibly off-topic question in my mind. If Rapid7 falsely attributes
> the incident to mis-use of their product in a public forum (the press
> release), essentially increasing the potential liability of Hannaford,
> it seems like Hannaford might have a cause of action against Rapid7.
> The cause of action is unrelated to the performance of their product,
> which I'm sure is well protected by the license agreement, but instead
> related to (potentially) false and (potentially) damaging statements
> about Hannaford's security practices.
>
> It seems to me that the statement in the revised press release has no
> real upside for Rapid7 true _or_ false. As someone stated earlier in
> this thread, they should have withdrawn the press release from their
> web site and taken their lumps.
>
> I'm certainly not a lawyer, and have NO knowledge of the incident,
> truthfulness of the subsequent Rapid7 disclaimers or really anything
> at all. This is intended as a discussion of hypothetical outcomes.
>
> Mike
>
> On Wed, Mar 19, 2008 at 5:40 PM, Jamie C. Pole <jpole at jcpa.com> wrote:
> >
> > Let's also consider the possibility the Hannaford WAS using the tool
> > correctly, and that it just didn't work as advertised.
> >
> > As far as the law firm being on the ball, trust me, they are. I know this
> > firm well, and they will absolutely include Rapid7 in their discovery
> > process. If I was senior management at Rapid7, I would NOT be sleeping
> well
> > right now.
> >
> > The kiss of death in this case is going to be the fact that there have
> been
> > around 1800 reported cases of fraud stemming from the incident. This was
> > not an accident.
> >
> > Jamie
> >
> >
> > -----Original Message-----
> > From: dataloss-bounces at attrition.org
> [mailto:dataloss-bounces at attrition.org]
> > On Behalf Of Mike Simon
> > Sent: Wednesday, March 19, 2008 6:47 PM
> > To: lyger; dataloss-bounces at attrition.org; dataloss at attrition.org
> > Subject: Re: [Dataloss] Consumers of Hannaford Brothers Co. Supermarkets
> > FileClass Action Suit
> >
> >
> >
> > This could not be a better example of why companies hesitate to disclose
> > details. If this lawfirm is on the ball. They will get access to the
> > exchange with Rapid7 which, according to the press release changes,
> > indicates potential additional negligence in that the had a tool that may
> > have prevented this problem and failed to use it properly. Not a helpful
> > disclosure for Hannaford with respect to the class action.
> >
> > Mike
> >
> >
> >
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml
>
>
>  Rodney Wise
>
>  South East Ostrich Supply
>  http://www.seostrich.com
>  (803) 741-5636

More information about the Dataloss mailing list