[Dailydave] Shady headlines - Disagree

Charisse Castagnoli charisse at charissec.com
Fri Apr 4 19:36:46 EDT 2014


Brian Krebs is a personal friend of mine and he is an amazing journalist who fact checks like crazy, carefully cites, obtains primary data  often directly from underground sites.  He has been instrumental in discovering and exposing many illegal activities in the illegal digital underground.

I think his reporting is fair and accurate.  Experian was the legal owner of the contract at the time of notification by the Secret Service, therefore Experian was part of an ongoing data breach.

As to the potential 200 million records, that was a quote of a fact in a court record.  I think that counts as a primary source. 

Quoting dave "Likewise, it seems like it was not Experian's data at all"  Exactly what  Brian reported "According to U.S. government investigators, the data was not[emphasis mine] obtained directly from Experian, but rather via Columbus, Ohio-based US Info Search"

I don't think this reflects poorly on your good friend, but rather shows the limitations of breach detection and due diligence.  Heck he may not have even been involved in the acquisition.

The problem for the public is, Experian is a financial services firm and is thus held to a higher standard of care (both legally and morally).   We expect our financial institutions to go the extra mile with access to our PII.

Heck at Chase you can't even deposit tiny bits of cash into your own account without showing an ID and signing a form, and you can not deposit cash into any account except your own.

The fact that Experian acquired a company whose identity proofing standards were not up to Experian's is a not only unfortunate it's a problem, further it was Experian's responsibility to identify in the due diligence phase. (I do think that is an intractable standard) However, Experian, as a financial services institution is not morally or legally entitled to hide behind their purchase of "Some random company" but should and probably has accepted responsibility. (they are certainly entitled to clarify as they did in their post)  But just like Bank of America can not escape liability for the shady home loans they acquired  with the Countrywide purchase, Experian has to take responsibility for their purchase of Court Ventures who created the contract vehicle for the data breach.

As with every data breach there are always nuances that trigger sensitivities on both sides, however your characterization of Brian's headline as "Shady" is  unfair. 
The fact that this happened to a company like Experian with an excellent CISO is just a proof point of what the challenges are in due diligence.

Now if you want some truly erroneous headlines try these
http://www.toptenz.net/top-10-erroneous-newspaper-headlines.php


Charisse Castagnoli
charisse at charissec.com






On Apr 4, 2014, at 4:06 PM, Dave Aitel <dave at immunityinc.com> wrote:

http://krebsonsecurity.com/2014/04/u-s-states-investigating-breach-at-experian/

So I read the Krebs report today with interest because the CISO of Experian (Stephen Scharf) is an old friend of mine, and probably one of the better CISO's in the business, imho. So there are a few things I think are funny in the Krebs report. For example, "Court records just released last week show that Ngo tricked an Experian subsidiary into giving him direct access to personal and financial data on more than 200 million Americans. " Right now, using Google, I have direct access to billions of records on both Americans and non-Americans But that doesn't mean I downloaded it and used it. How much data did this guy even get? Something more on the order of 3 million various things. Likewise, it seems like it was not Experian's data at all, but the result of some legal agreements that happened before Experian ever got involved. Also I love the part in the court documentation where the defendant has been hearing voices and is basically crazy.

I guess the point is, "Some random company Experian bought had an agreement with another company that had an customer who was shady and then arrested" is not as catchy a title, even if it is more accurate than "U.S. States Investigating Breach at Experian" which is what Krebs decided to run with this time.

Official Experian response to the whole mess (worth a quick read) is here:
http://www.experian.com/blogs/news/2014/03/30/court-ventures/

-dave

_______________________________________________
Dailydave mailing list
Dailydave at lists.immunityinc.com
https://lists.immunityinc.com/mailman/listinfo/dailydave

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20140404/c9ee6385/attachment.html>


More information about the Dailydave mailing list