Lets Demand Names in

By Lisa Vaas  |  Posted 2007-10-04 Print this article Print

Data Fumbles"> Of course, we cant expect immediate accountability and retribution. The Gap only disclosed this breach last week, after all, and its now got its hands full just notifying the affected job applicants, investigating what happened and taking steps to ensure it doesnt happen again. Those are all top priorities. But when the dust settles, I fervently hope for a few things: First, I hope the Gap publicly discloses the vendor responsible for the shoddy handling of sensitive data that led to this unnecessary debacle. Not that public shaming is a guaranteed punishment or disincentive to further bungling, mind you. As RSnake—aka hacker Robert Hansen—noted in a posting Oct. 3, theres "no evidence whatsoever" that TJX, for example, suffered following its own massive data breach. "If you look at the TJMaxx 1 year stock chart not only did they recover from the huge security breach in Feb, but theyre actually up!" he wrote. "Clearly, the consumers and the investment community has decided to overlook their issues. Strange."
Perhaps consumers are willing to overlook TJXs security glitches. They dont think twice when handing over a credit card in a store thats inadvertently allowed their information to be handed over to thieves, evidently. But its another matter entirely when youre talking about an organization entrusting its sensitive information to a third party. Public shaming at the corporate level will carry much more weight when it comes down to sitting over the conference room table to talk about a vendors track record with security breaches.
So yes, public outing in the case of the Gaps vendor is one hope. Another hope is that the chain of culpability in the Ohio case reaches far and wide enough. After all, it was acceptable at some level, officially or not, that the Ohio CIOs office was sending a backup tape home with a different person—read, interns—every night. Emerging Chaos blogger Adam had some great takeaways on this: First, build your projects with new data, instead of reusing templates that can have leftover data still clinging to them, such as what apparently happened with Connecticut data left over in a template for an Ohio project. Second, Outsourcers "are likely to cut corners in ways they dont think youll catch," he wrote. Third, supervise interns. And as far as overall response to data breaches goes, Id say a good takeaway is lets hold everybody responsible, reaching as far along the chain of culpability as possible. Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.

Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel