Lets Demand Names in
Data Fumbles"> Of course, we cant expect immediate accountability and retribution. The Gap only disclosed this breach last week, after all, and its now got its hands full just notifying the affected job applicants, investigating what happened and taking steps to ensure it doesnt happen again. Those are all top priorities. But when the dust settles, I fervently hope for a few things: First, I hope the Gap publicly discloses the vendor responsible for the shoddy handling of sensitive data that led to this unnecessary debacle. Not that public shaming is a guaranteed punishment or disincentive to further bungling, mind you. As RSnakeaka hacker Robert Hansennoted in a posting Oct. 3, theres "no evidence whatsoever" that TJX, for example, suffered following its own massive data breach. "If you look at the TJMaxx 1 year stock chart not only did they recover from the huge security breach in Feb, but theyre actually up!" he wrote. "Clearly, the consumers and the investment community has decided to overlook their issues. Strange."So yes, public outing in the case of the Gaps vendor is one hope. Another hope is that the chain of culpability in the Ohio case reaches far and wide enough. After all, it was acceptable at some level, officially or not, that the Ohio CIOs office was sending a backup tape home with a different personread, internsevery night. Emerging Chaos blogger Adam had some great takeaways on this: First, build your projects with new data, instead of reusing templates that can have leftover data still clinging to them, such as what apparently happened with Connecticut data left over in a template for an Ohio project. Second, Outsourcers "are likely to cut corners in ways they dont think youll catch," he wrote. Third, supervise interns. And as far as overall response to data breaches goes, Id say a good takeaway is lets hold everybody responsible, reaching as far along the chain of culpability as possible.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
Perhaps consumers are willing to overlook TJXs security glitches. They dont think twice when handing over a credit card in a store thats inadvertently allowed their information to be handed over to thieves, evidently. But its another matter entirely when youre talking about an organization entrusting its sensitive information to a third party. Public shaming at the corporate level will carry much more weight when it comes down to sitting over the conference room table to talk about a vendors track record with security breaches.