Nice to see this kind of transparency change happening.
http://www.wired.com/threatlevel/2010/03/sunshine/Quote:
Government Stops Shielding Corporate Breach ‘Victims’
By Kevin Poulsen and Kim Zetter March 30, 2010 | 1:17 pm | Categories: Breaches, Cover-Ups
For the past few months, national retailer J.C. Penney has been fighting an under-seal court battle to keep you from knowing that its payment card network was breached by U.S. and Eastern European hackers.
The intrusions, by TJX hacker Albert Gonzalez and his overseas accomplices, occurred beginning in October 2007. J.C. Penney admits it was “wholly unaware” of the breach until the Secret Service told the company about it in May 2008, but now says with certitude that no identity or bank-card data was stolen in the breach it failed to detect. That’s why the company didn’t want to be identified to the public, says spokeswoman Darcie Brossart
“Because there was no reason to think that the hackers were successful, there was no need to alarm J.C. Penney customers,” says Brossart, “We believed we had a legitimate interest in not being linked to criminal activity that resulted in major thefts from other companies.”
So in court filings, J.C. Penney argued that it was entitled to anonymity under the 2004 Crime Victims’ Rights Act, a law intended to protect the “dignity and privacy” of victims. A federal judge on Friday ordered the company’s identity unsealed anyway, as well as that of a second breached company, clothing retailer Wet Seal.
It’s a familiar story. Companies have never been eager to have their security slip-ups revealed to consumers. What was different, and remarkable, this time around is that an assistant U.S. attorney argued that J.C. Penney and Wet Seal should be identified. The lead prosecutor in the largest identity-theft hacks in U.S. history argued for disclosure.
Quote:
It’s a bit jarring to see a lucid pro-transparency, pro-security argument from a federal prosecutor. For years, law enforcement has had an informal policy of protecting companies from the public relations consequences of their poor security — a kind of omerta among intruders, the companies they hack and the feds, where only the public is left in the dark. To be sure, it’s never been set in stone, and not all feds have played ball. But it’s a common practice, and it corrodes accountability.