
Fortune 500 company leaked 264GB in client, payment data - pwg
https://www.zdnet.com/article/veteran-fortune-500-company-leaked-264gb-in-client-payment-data/
======
coldcode
I love how companies say no credit card data was leaked, and don't admit that
everything else know to the company including client and employee PII data was
there. All of these sorts of things can be turned into money including
blackmail and identity theft.

~~~
jjeaff
And cc data is the very least important thing. Banks are required by law to
return fraudulent charges. They are on the hook, not you.

As for having your identity stolen, that can be a very expensive and long
drawn out process to recover from.

------
booleandilemma
The figure of 264GB doesn’t really tell us much, it would be more informative
if they shared the # of people affected.

~~~
conroydave
if we can assume its mostly text data, then it speaks a bit to the scope.

~~~
lruor
It might be full of those scanned PDFs that are 100 MB each.

~~~
coherentpony
Therefore 2640 people? That's a lot of people.

------
tyingq
_" a log management server was leaking system-wide information"_

Interesting. Similar to Facebook's issue with logs. Though it didn't leak
outside the company in their case.

~~~
edoceo
Elastic Search with no firewall or auth?

~~~
tyingq
Well, I meant similar in that logs don't need to have sensitive info in them.
Or that if they do, access should be really narrow.

------
buremba
Is there a product that tracks all the data infrastructure of the companies
including the log and analytics systems and detects if there's any sensitive
data in it?

~~~
tyingq
There are products that look for patterns that might be PII like SSNs, CC
numbers, etc.

Google for something like "pii scanning".

~~~
buremba
It looks like they're mostly designed for desktop. It would be a good idea to
make it compatible for cloud IMO. Could be a good startup idea, anyone
interested might shoot me an email. :)

~~~
tyingq
For the existing cloud ones, search for: casb pii

------
peteradio
Is there ever a reason to do this intentionally for some sort of financial
benefit where the known punishments really don't outweigh whatever the (I
don't know what) benefits are? Obviously a loaded question here, I apologize
in advance. But I can't help but wonder about it when something like this
happens. Are there reasons that this information would want to be leaked? I'm
not interested in arguments for Hanlon's razor.

~~~
craftyguy
The punishment for mishandling data does not outweigh the benefit in
collecting it, that's why this keeps happening. At this point any 'punishment'
is just 'operating costs', and only increases the value of collecting
customer/client data.

~~~
godzillabrennus
Correct.

Also, up until about three years ago you could purchase cheap cyber security
insurance. When Sony got hacked over “The Interview” policies went up.

Still, most companies don’t do anything to really prevent issues.

------
equalunique
But the DNC emails _definitely_ weren't leaked and coincidentally the favorite
past-time geopolitical scapegoat is the one to blame, also vote for us. ;)

