

Ask HN: Just lost sensitive data to this. Compliance, lawyers...what next? - JumpCrisscross
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1320

======
patio11
I'm sorry for your circumstances. Life is going to get a little harried for a
little while. It will be survivable -- you're far from the first business this
happened to.

1) GET HELP. It is unlikely that you have the technical/legal/compliance/etc
expertise to handle this 100% in house. Even the big guys call in outside
experts when this happens.

2) Make sure you have shut the barn door and that you cannot lose more data to
either the same vulnerability or to additional compromises stemming from it.
If you are not sure you have this locked down, take the systems offline until
you are positive.

3) Find out what data, specifically, you lost. If you cannot do this, try to
establish as tight as possible an upper bound on what data you lost.

4) You may have notification requirements driven by Step #3. Follow them as
specified by the relevant compliance guidelines or written disclosure plan. If
you didn't have a written policy in place for this already, this is a good
opportunity to put one in place for the future.

5) Document. Everything.

6) If your competent professional advisors (lawyers / representatives of the
insurance company / compliance specialists / security firm) advise against any
of the above, trust their advice. That's what you pay them for.

~~~
dennisgorelik
What bad things would happen if he does not follow your advise to "Find out
what data, specifically, you lost"?

~~~
patio11
There may be reputational or hard costs which scale with the size of the
breach, so it may matter whether you e.g. lost 100 records corresponding to
one customer's account or e.g. you can't rule out the possibility that you
lost 100 million records across all customer accounts. For the types of
breaches of most pressing interest to my company, those two scenarios activate
different transitions on a regulatory state machine. I'd hate having either
happen, but the first one means "a major headache" and the second one means
"all I'll think about for the next several months."

------
comex
FYI, the CVE linked to is for an ASLR bypass that could not be used to exploit
anything by itself (only assist other exploits). Though I don't want to impugn
without data, this suggests that you may be jumping to conclusions based on
published security advisories; I'd try to be careful about that, as you could
be missing the actual attack vector.

------
runlevel1
That's a locally exploitable vulnerability. While it could have been used as
part of the larger attack, it implies that the attacker gained access to the
system in some other way.

Correct me if I'm missing something.

