Rewritten: there's simply no value to creating a bigger dumpster fire than this has already been crafted into.
Lets walk through the implications of this sensitive data exposure and try to set a rational tone:
- Reputational damage resulting from fraud is a real thing.
- FOC is a fellow victim in this case. Not a perpetrator.
- FOC has suffered lreputational losses that led to financial damages. Damages that almost certainly exceed affected their customers' inconvenience. I can promise you -- they feel your pain.
- No evidence exists that FOC is in any way complicit (through action or inaction) in facilitating the incident.
So on the basis of these 3 poitns can we agree to be careful not to 'kick the wrong dog' here?
Threat actors did this. Put that anger where it belongs...
- Business maturity is also a real thing.
- The Business Maturity Model (BMM) describes an Organization’s posture and ability to react to a security incident including but not limited to their ability to communicate risk with their clients.
While FOC is repsonsible for their own reasonable standards of care for data in their posssession it just isnt reasonable to try and hold them to the same standards as Mastercard or VISA.
Let me expand on that second point a bit further...
A Business' Maturity level directly impacts their ability to deal with risk. In this case - the compromise of data Confidentiality that lead to fraud. Is the incident Painfull? Yes. But a low state of maturity is more akin to 'growing pains' and operational realities than it is to negligence. And it is a world away from the shade some folks have attempted to throw on FOC.
Let's be clear on overall scope of what we're talking about here...
FOC slmost certainly:
- lacks a Board of Directors to manage risk to the business and drive governance. BoD's are a thing for large, publicy traded entities - not sole proprietorships or partnerships.
- doesnt have a CISO mismanaging some Information Security program that they can fire for negligence.
- aren’t a major corporation with deep pockets that can afford to implement ISO-27001 compliance
- don’t have a Security Steering Comittee exercising oversight to push for PCI-DSS compliance measures as treatment for the credit exposure.
- don’t have an Incident Response Team or SOC that can respond to the event.
- lacks the infrastructure or budget to afford a SIEM integrating XDM/ to correlate logs, the analysts to investigate root cause or an XSOAR to automate inceidnt responses; and
- has about the same expectactions for response from law enfrcement. Calling the RCMP. I did that. In my official role with a much larger (3500 employee) company. Do you have any idea what it costs the RCMP to successfully prosecute a Cybersecurity incident when the threat actors are IN Canada? Let me help you out here. It is substantial.
It would be quicker to enumerate what they do have:
- There’s a point of sale terminal or two.
Provided by a 3rd party vendor who hopefully meets some governance standard on at least a few of the things I pointed out above, but who knows for sure.
Western adoption and compliance for IS security is abysmal. Zero bull####. Its a real issue…
- And there is a computer system.
That might be maintained by a one man show.
Who (lets be honest here) likely repaired dish washers for a living just 5 years ago.
Tell me Im just wrong here...
I attended a course this week for NIST 800-82 compliance (securing OT Networks - think gas plants, factories, pipelines, etc).
It is put on by a recognizable name in the Security industry space. One keynote was that some 95% of Enterprises (companies lacking the sophistication of Saudi Aramco or BP) fail to meet the levels of protection that they actually know are required by Law, Regulation or Industry Standard.
Exposure issues with sensitive credit detail that resuted in a faud attempts aside, FOC has a completely separate, domain squatting issue. Another fraudster is targeting (yes, targeting) the vendor and they are the victim of yet another crime.
Gentle reminder for a more enlightened perspective here.
- Fraud is rampart
- Law enforcement, Jurisprudence, Legislators and Industry Regulators alike are struggling to address the threat
- You are guaranteed personal liability protection by the Canadian Bank Act and consumer protection laws.
- FOC is a partner in our community. Not an adversary.
We can do better than this...