<html><head><meta http-equiv="Content-Type" content="text/html charset=iso-8859-1"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">Brian Krebs is a personal friend of mine and he is an amazing journalist who fact checks like crazy, carefully cites, obtains primary data often directly from underground sites. He has been instrumental in discovering and exposing many illegal activities in the illegal digital underground.<div><br></div><div>I think his reporting is fair and accurate. Experian was the legal owner of the contract at the time of notification by the Secret Service, therefore Experian was part of an ongoing data breach.<div><strong><br></strong></div><div>As to the potential 200 million records, that was a quote of a fact in a court record. I think that counts as a primary source. </div><div><br></div><div>Quoting dave "Likewise, it seems like it was not Experian's data at all" Exactly what Brian reported "According to U.S. government investigators, the data <b>was not</b>[emphasis mine] obtained directly from Experian, but rather via Columbus, Ohio-based <strong>US Info Search"</strong></div><div><br></div><div>I don't think this reflects poorly on your good friend, but rather shows the limitations of breach detection and due diligence. Heck he may not have even been involved in the acquisition.</div><div><br></div><div>The problem for the public is, Experian is a financial services firm and is thus held to a higher standard of care (both legally and morally). We expect our financial institutions to go the extra mile with access to our PII.</div><div><br></div><div>Heck at Chase you can't even deposit tiny bits of cash into your own account without showing an ID and signing a form, and you can not deposit cash into any account except your own.</div><div><br></div><div>The fact that Experian acquired a company whose identity proofing standards were not up to Experian's is a not only unfortunate it's a problem, further it was Experian's responsibility to identify in the due diligence phase. (I do think that is an intractable standard) However, Experian, as a financial services institution is not morally or legally entitled to hide behind their purchase of "Some random company" but should and probably has accepted responsibility. (they are certainly entitled to clarify as they did in their post) But just like Bank of America can not escape liability for the shady home loans they acquired with the Countrywide purchase, Experian has to take responsibility for their purchase of Court Ventures who created the contract vehicle for the data breach.</div><div><br></div><div>As with every data breach there are always nuances that trigger sensitivities on both sides, however your characterization of Brian's headline as "Shady" is unfair. </div><div>The fact that this happened to a company like Experian with an excellent CISO is just a proof point of what the challenges are in due diligence.</div><div><br></div><div>Now if you want some truly erroneous headlines try these</div><div><a href="http://www.toptenz.net/top-10-erroneous-newspaper-headlines.php">http://www.toptenz.net/top-10-erroneous-newspaper-headlines.php</a></div><div><br></div><div><br></div><div><div apple-content-edited="true">
<span class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px;"><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>Charisse Castagnoli</div><div><a href="mailto:charisse@charissec.com">charisse@charissec.com</a></div><div><br></div><div><br></div><div><br></div></div></span><br class="Apple-interchange-newline"></span><br class="Apple-interchange-newline">
</div>
<br><div><div>On Apr 4, 2014, at 4:06 PM, Dave Aitel <<a href="mailto:dave@immunityinc.com">dave@immunityinc.com</a>> wrote:</div><br class="Apple-interchange-newline"><div>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
<div bgcolor="#FFFFFF" text="#000000"><div style="margin: 0px; color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); position: static; z-index: auto;"><span style="font-size:
11pt; font-family: Calibri, sans-serif; color: rgb(31, 73,
125);"><a href="http://krebsonsecurity.com/2014/04/u-s-states-investigating-breach-at-experian/">http://krebsonsecurity.com/2014/04/u-s-states-investigating-breach-at-experian/</a><br>
</span></div><div style="margin: 0px; color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255);"><br>
<span style="font-size: 11pt; font-family: Calibri, sans-serif;
color: rgb(31, 73, 125);"></span></div>
So I read the Krebs report today with interest because the CISO of
Experian (Stephen Scharf) is an old friend of mine, and probably one
of the better CISO's in the business, imho. So there are a few
things I think are funny in the Krebs report. For example,<span style="font-size: 11pt; font-family: Calibri, sans-serif; color:
rgb(31, 73, 125);"> "</span><span style="font-size: 11pt;
font-family: Calibri, sans-serif; color: rgb(31, 73, 125);"><span style="color: rgb(85, 85, 85); font-family: Georgia; font-size:
14px; font-style: normal; font-variant: normal; font-weight:
normal; letter-spacing: normal; line-height:
21.599998474121094px; orphans: auto; text-align: justify;
text-indent: 0px; text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;
display: inline !important; float: none;">Court records just
released last week show that Ngo tricked an Experian subsidiary
into giving him </span><em style="margin: 0px; padding: 0px;
border: 0px; outline: 0px; font-size: 14px; vertical-align:
baseline; background-color: transparent; color: rgb(85, 85, 85);
font-family: Georgia; font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: 21.599998474121094px;
orphans: auto; text-align: justify; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-position: initial initial; background-repeat: initial
initial;">direct access to personal and financial data on more
than 200 million Americans. "</em></span> Right now, using
Google, I have direct access to billions of records on both
Americans and non-Americans But that doesn't mean I downloaded it
and used it. How much data did this guy even get? Something more on
the order of 3 million various things. Likewise, it seems like it
was not Experian's data at all, but the result of some legal
agreements that happened before Experian ever got involved. Also I
love the part in the court documentation where the defendant has
been hearing voices and is basically crazy.<br>
<br>
I guess the point is, "Some random company Experian bought had an
agreement with another company that had an customer who was shady
and then arrested" is not as catchy a title, even if it is more
accurate than "U.S. States Investigating Breach at Experian" which
is what Krebs decided to run with this time.<br><div style="margin: 0px; color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255);"><br>
</div>
Official Experian response to the whole mess (worth a quick read) is
here:<span style="font-size: 11pt; font-family: Calibri, sans-serif;
color: rgb(31, 73, 125);"><em style="margin: 0px; padding: 0px;
border: 0px; outline: 0px; font-size: 14px; vertical-align:
baseline; background-color: transparent; color: rgb(85, 85, 85);
font-family: Georgia; font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: 21.599998474121094px;
orphans: auto; text-align: justify; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-position: initial initial; background-repeat: initial
initial;"></em></span><br>
<span style="font-size: 11pt; font-family: Calibri, sans-serif;
color: rgb(31, 73, 125);"><em style="margin: 0px; padding: 0px;
border: 0px; outline: 0px; font-size: 14px; vertical-align:
baseline; background-color: transparent; color: rgb(85, 85, 85);
font-family: Georgia; font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: 21.599998474121094px;
orphans: auto; text-align: justify; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-position: initial initial; background-repeat: initial
initial;"></em></span><div style="margin: 0px; color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255);"><span style="font-size:
11pt; font-family: Calibri, sans-serif; color: rgb(31, 73,
125);"><a href="http://www.experian.com/blogs/news/2014/03/30/court-ventures/" target="_blank" style="color: rgb(17, 85, 204);">http://www.experian.com/blogs/<wbr>news/2014/03/30/court-<wbr>ventures/</a><br>
</span></div><div style="margin: 0px; color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); position: static; z-index: auto;"><span style="font-size:
11pt; font-family: Calibri, sans-serif; color: rgb(31, 73,
125);"><br>
-dave<br>
<br>
</span></div>
</div>
_______________________________________________<br>Dailydave mailing list<br><a href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.com</a><br>https://lists.immunityinc.com/mailman/listinfo/dailydave<br></div></div><br></div></div></body></html>