[Dailydave] Shady headlines

security curmudgeon jericho at attrition.org
Fri Apr 4 20:27:16 EDT 2014


On Fri, 4 Apr 2014, Dave Aitel wrote:

: http://krebsonsecurity.com/2014/04/u-s-states-investigating-breach-at-experian/
: 
: So I read the Krebs report today with interest because the CISO of 
: Experian (Stephen Scharf) is an old friend of mine, and probably one of 
: the better CISO's in the business, imho. So there are a few things I 

Perhaps, but if he is involved in Experian's role of making legal threats 
against a non-profit organization who cited Krebs as a source, while 
refusing to go after Krebs or any other major news outlet that parroted 
his headlines, he isn't a good CISO imho.

: think are funny in the Krebs report. For example,"Court records just 

After the legal threat, I had a dialogue with Krebs and summarized their 
complaint (cliff notes: Experian was not breached). DatalossDB updated the 
entry to more accurately reflect what happened, listed US Info Search as 
the primary with Court Ventures and Experian as secondary 'affected'. 
Krebs opted to keep his headlines for the original article and the 
follow-up that said as many as 200 million records were involved.

Even after this, Experian has apparently not threatened anyone else over 
their coverage. But they felt it was necessary to threaten us, without 
asking us to update it politely first. Their bullshit threat also lied and 
said that *we* were responsible for everyone thinking it was Experian and 
200 million, when we clearly cited our source, and every other news 
article clearly cited their source (Krebs).

: I guess the point is, "Some random company Experian bought had an 
: agreement with another company that had an customer who was shady and 
: then arrested" is not as catchy a title, even if it is more accurate 
: than "U.S. States Investigating Breach at Experian" which is what Krebs 
: decided to run with this time.

It isn't quite as clear cut as that either. From my understanding, after 
Court Ventures was purchased by Experian and 'due diligence' as done, the 
abuse continued. Not the same as 'experian lost blah records' and still 
not a catchy title I know, but the story is more muddled than that.

- jericho


More information about the Dailydave mailing list