I previously mentioned the Hannaford breach and that it's the CEOs that take the fall, but now I have to add one more thing for CEOs to fear. First, it was potential impact to the bottom line or damage to the company's reputation. Then it was fines by regulators and maybe even jail time. Now, add to the list of potential repercussions of a security breach being called out in Mark MacAuley's blog. And Mark names names. He tried to convince Hannaford to put measures in place to prevent this type of attack . Now, Mark is guessing it was an inside job. The attacker installed software on every server in 300 stores. He's probably right. It's hard enough for system administrators to roll out software on that scale and effectively hit every server (even with a team of consultants). It seems unlikely for someone with no knowledge of the environment to come along and accomplish that goal -- not impossible, but unlikely given that these attacks are most likely targeted at low hanging fruit where the 80/20 rule would apply.
I hope Mark doesn't mind that I'm picking on him. There is an element of seriousness to my comment about the new item on the list of repercussions. There are a variety of convenient ways to publicly call out a CEO or other business leader for lack of movement or poor decisions. You can't hide and wait for something like this to blow over. Not any more. It's time to accept risk management as a top priority – as important as discovering new ways to expand the business. And yes, leakage of customer data should probably be high on the list of risks. No more excuses. No more walls. Lots of transparency. Viva la Clue Train!
Ira Winkler disagrees that it was likely an inside job. I'm sure he's forgotten more about hacking than I ever knew. So, he may be right. I don't doubt that someone could hit 100% of servers, but I guess I didn't see that as the goal. Maybe I'm not in tune with the motivations of hackers.
...this may be the article that Ira refers to.