While it is always "fun" (for some definition of the word fun) to pile on, and sometimes watch the otherwise clueless elected officials to get soundbites at the expense of a hapless CEO of a company that did bad things, or allowed bad things to happen on their watch ... the bigger picture is one of what sequence of events enabled this to occur. Placing the blame on an OSS component, or a "sole IT" person is both unfortunate, and generally wrong.
None of this would have come to fruition had the business model not been one of "lets gather and curate high value information and intelligence about individuals", without an appropriate "gee, we have high value intelligence and information on individuals, maybe we should design our systems so that in the event of a failure of a security system, damage would be minimal." When you aggregate, curate, sell access to high value information, you damned well better have a good and fail safe security model. So if your DCs are overrun with hackers, the data exfiltrated would be unusable.
More specifically, the principle I claim to be implicitly at play here is, with great power and/or information, comes great responsibility. Pointing fingers at lower level subordinates for their possible failings ... opening up and exposing the entire business model's core weaknesses in terms of data protection, and data access integrity and control ... means that the organization has simply failed to maintain, audit, test, and verify that its control systems are adequate to the task. Blaming an OSS component for all the damage means that the rest of the systems were not designed and built to the necessary level of safety and security.
This is part of what I find unconscionable. They attempt to absolve themselves of blame by pointing fingers.
When an organization does crap like this, you know they have many other problems. And yes, you cannot, and should not trust them going forward. If data was exfiltrated from them (and it was), is it possible that their data was altered in situ? Yes, yes it is.
They should not be allowed to have such data in their control again. Seriously, if you can't control access to the data, you can't have the data.
None of this would have come to fruition had the business model not been one of "lets gather and curate high value information and intelligence about individuals", without an appropriate "gee, we have high value intelligence and information on individuals, maybe we should design our systems so that in the event of a failure of a security system, damage would be minimal." When you aggregate, curate, sell access to high value information, you damned well better have a good and fail safe security model. So if your DCs are overrun with hackers, the data exfiltrated would be unusable.
More specifically, the principle I claim to be implicitly at play here is, with great power and/or information, comes great responsibility. Pointing fingers at lower level subordinates for their possible failings ... opening up and exposing the entire business model's core weaknesses in terms of data protection, and data access integrity and control ... means that the organization has simply failed to maintain, audit, test, and verify that its control systems are adequate to the task. Blaming an OSS component for all the damage means that the rest of the systems were not designed and built to the necessary level of safety and security.
This is part of what I find unconscionable. They attempt to absolve themselves of blame by pointing fingers.
When an organization does crap like this, you know they have many other problems. And yes, you cannot, and should not trust them going forward. If data was exfiltrated from them (and it was), is it possible that their data was altered in situ? Yes, yes it is.
They should not be allowed to have such data in their control again. Seriously, if you can't control access to the data, you can't have the data.