MBIA Breach and Hard Headed Security
I’ve done numerous notifications to companies that have suffered breaches and exploits of customer data. Incidents have varied wildly- from law firms hosting malware to women’s health clinics that had a vulnerable online payment system that stored clear-text credit card info and patient information- and by notifying so many groups, I’ve had to learn that one of the first things you do is:
- Give your full name and phone number.
- Explain that this is not a sales call, but an urgent notification.
- Provide summarized details until you can actually speak to the security person.
Even then, I got a few hangups, but I kept calling back until I got someone’s attention.
When MBIA was notified that their website was poorly configured and allowed anyone to view private information, they refused to speak to the security researcher for two weeks, and then claimed they thought he was a sales guy.
From the Reuters here:
Seely said he left numerous messages at MBIA and sent emails on the social media site LinkedIn. He said MBIA did not respond although it had read the emails sent over the social network and had visited his profile page.
“Based on the manner in which he was contacting people, including someone who hasn’t worked for the company for the better part of 10 years, and the non-specific nature of his warnings of a problem with the MBIA website, the belief here was that he was attempting to sell us something,” said Kevin Brown, a spokesman for MBIA.
Seely said he never asked for money or offered anything for sale.
MBIA only reacted when Seely contacted independent investigative reporter Brian Krebs, who specializes in cyber security issues. Krebs said he informed MBIA on Monday before blogging about the issue on his website, KrebsOnSecurity.com.
The security folks at MBIA must be pretty hardheaded. I’m certain Brian Seely is a seasoned veteran at doing vulnerability notifications, as its something he’s done for 15 years or more. If someone is trying to notify you of a security breach, a pending attack, or even a bomb threat, you hear them out, get details, get their information, and you investigate. Don’t ignore them.
