Hacker News new | past | comments | ask | show | jobs | submit login

> On May 31, 2019, CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network

> CBP ... is closely monitoring all CBP work by the subcontractor

What. In the private sector, they'd have been fired and probably legal action levelled against them. The CBP's punishment for this is 'monitoring'? Please tell me I'm reading this wrong...

“In the private sector” covers a lot of ground and I have extreme skepticism about your faith in the process unfolding that way: ask yourself how many breaches you’ve been part of and whether anything more than a press release happened along with waiting for the news to die down. How many customers did Experian lose?

(In the enterprise software world, I can tell you how epic failure to perform on an 8+ figure contract unfolds: the sales guy takes a VP out to the next game so they can discuss it over drinks in the corporate box and nothing will change)

I don't have _much_ experience with this but when I worked for a UK based e-commerce SaaS provider (which was focused on image, so, ymmv) we completely buried a contractor for using sub-contractors which didn't follow our data security standards (which the contractor knew about).

a breach wasn't found, but that contracting company eventually became bankrupt under the weight of our negative press and litigation. I know that this is essentially bullying but it was used as an example to other contractors who might try something like that.

Incidentally the SaaS provider no longer exists, gobbled up by netsuite (which was, itself, acquired by Oracle).

There's pretty strong selection bias in information about data security standards. The companies that have strong ones will go out of their way to publicize that fact, but companies with weak or nonexistent ones will never admit that fact to the general public or news media, and the only thing you may hear about it is when disenchanted employees make anonymous posts on web forums.

If a company with weak data-protection standards wins out over a company with strong ones, it's never because of their lack of data-protection standards. Rather, it'll be because all the other features, pricing, marketing, etc. they can do that's the opportunity cost of decent security. So as far as the information available to laypeople is concerned, most companies do a decent job with security and it's just a few bad apples that happen to be gigantic like Equifax, Facebook, Target, Yahoo, Anthem, and the U.S. government that are screwing things up.

(FWIW, at Google we took security very seriously and implemented some truly heroic measures to keep your data safe.)

> How many customers did Experian lose?

Experian didn't lose any customer data, though. They only lost data on their products. Their actual customers had no reason to stop paying for their services.

It was Equifax not Experian.

It think it's telling that, in this instance, it really doesn't matter. It could have been Experian, with the wave of a butterfly's wings in Himalayas, it was Experian and nothing changes in that alternative universe.

Some of these https://krebsonsecurity.com/tag/experian-breach/ look like Experian is leaking like a sieve, or am I missing something?

Experian makes its money selling credit checks to banks and other businesses. You're not their customer, you're their product.

Ha. In the private sector, we discovered a vendor was using an actually health database with real users in it for testing their app. It was all covered up, with no monitoring, because we recently bought that vendor.

Sounds like pretty standard PR legalese to me. I guarantee that the same is going to happen to the subcontractor (after a lengthy investigation, to be sure), but it's bad practice to go throwing around public legal threats, especially for the government which likely has a multi-hundred page contract with these people, and especially at such an early point in any investigations going on.

This is unless the corruption includes those who are managing the subcontractor identified. In which case, the subcontractor is blacklisted and the people responsible move onto another company (ie, Initrode vs. Initech).

Yea, that's one of the more disturbing modern trends - especially at the C-level, once someone is in that cloud they tend to just rotate jobs consequence free... and maybe occasionally run for president after doing their best to bankrupt HP.

I agree that an individual unfairly blamed by a company for their failure should be able to move on with their life but... we've seen plenty of clearly guilty people get out with a golden parachute and turn to serving on the board of directors of companies for the ridiculous sum that tends to net you.

Playing devil's advocate (and this is likely to be downvoted by the "we hate all management" crowd on HN), but the reality is that there isn't exactly a very large pool of people who have experience running/directing multi-billion dollar companies. If you start blacklisting every single C-level that was ever involved in a controversy, the only choices you're going to have for your board of directors are going to be people that have very limited experience making executive decisions.

IME, this is especially the case for security positions like CISOs, where the pool of people with such experience is excruciatingly limited to begin with (and no, a high level engineer/developer does not have the same skillset as a security professional).

There's also something to be said for allowing people to learn from their mistakes. It's obviously higher stakes for an executive, but it's along the same vein as how we don't blacklist-for-life the developers who write vulnerable code.

This has come up a number of times and I semi-agree with you. It's definitely true that C-level positions do take a special kind of problem solving to navigate with a high emphasis on time management skills that other people (even upper management) can usually delegate up... That said, the only thing restricting new entrants into that market is the resistance of that market. The skills it takes to be a CEO of a multi-billion dollar company are certainly beyond me currently, but it's a skill I could train up to if I tried - especially if I had chosen to do so earlier in life. And these positions do come with a high amount of responsibility, buuut... they don't produce value for the company at all in line with their salaries and they're certainly not irreplaceable.

I don't hate management, I've worked for some great middle managers that have made my life easy - and for some terrible ones that constantly over-promised and pushed the weight down on us in the trenches. For upper management I've worked for three main veins of persons, the ones that micromanage and attempt to constantly invest themselves in every problem - leading to an inability to make good high level decisions... the sort that are removed from business by such an extent that they are unable to reason about direction decisions and fail to support a company's natural growth.. and those that are approachable but limited, who will voluntarily back out of any low level decision discussion but coordinate what decisions are being discussed and what those decisions mean for other portions of the company.

So mainly I'm rejecting your assumption that the pool is limited to begin with - people do come from famous families and waltz into the field with no prior experience, and those who try to work their way up tend to be stifled due to their lack of experience.

I'm not sure I agree with your first paragraph. I mean no disrespect to you or your abilities, but being a C-level executive, especially in a large corporation, isn't something that someone can just "train up to". These types of positions really do require a specific personality, specific desires, often a specific ethic (work ethic and otherwise), specific connections, and more. These are the things, along with the fact that due to organizational hierarchy, there are naturally less CEOs in the world than there are entry level workers, that limit the pool.

I'm certainly not saying that all C-levels possess these necessary traits in a positive way, and there are definitely some C-levels that only got where they are because of nepotism or luck, but I also disagree that there is a significant 'stifling' of newcomers. Nearly every company I have worked at has had a specific "track" for its employees to pursue management (including C level) positions, but my experience is that most people just aren't cut out for it (either because they self-selected that they didn't want/enjoy it, or because they didn't have the necessary personality for it). More specific to the tech industry, I've often seen/heard of Silicon Valley companies having separate "Individual Contributor" versus "Management" tracks. Many engineers self-select the IC track because they don't enjoy management aspects.

And that's not necessarily a bad thing, either. Not everyone is destined to be a CEO, nor should that be everyone's goal, and there's definitely nothing wrong with not being a possessor of the negative-in-many-aspects cutthroat ethics that being a CEO often requires. It's not all too dissimilar to how not everyone is destined to be a programmer, and you can't take just anyone off the street, hand them a programming textbook, and turn them into Linus Torvalds, nor should you.

> I mean no disrespect to you or your abilities, but being a C-level executive, especially in a large corporation, isn't something that someone can just "train up to".

My hunch is that this is no more true of C-levels than it is of any other profession where some natural aptitude (eg. above average intelligence) is required. In other words, I think the "pool" of C-levels is small almost solely because of organisational hierarchy; for every C-level there are many more people with the required natural aptitude who are not C-levels. Of course, for a sufficiently narrow domain, the intersection of people with the required natural aptitude and people with the required years of domain experience may become very small.

In that sense, I think being a C-level is something that many people can just "train up to," if given the right opportunities. I'm not sure if there is any empirical evidence that could tell us who's right.

You could look at experience vs performance.

I've seen enough "emergency temporary promotions" succeed in their job that I tend to agree with you and not with the self-serving "I am special" arguments you hear from people in these circles.

> If you start blacklisting every single C-level that was ever involved in a controversy, the only choices you're going to have for your board of directors are going to be people that have very limited experience making executive decisions, and the usual explanations proffered by the "we hate management" crowd - of nepotism, insiderism, back-scratcher-ism - are more likely valid.

If we revert from "involved in a controversy" back to "has demonstrated extreme incompetence", your argument carries less weight. We can at least say that the inexperienced new guys haven't been tested and found wanting. The

I feel that your thesis is broken by definition: if there is such a small pool of people with this level of experience - so small that they are worth the money and are super difficult to replace - shouldn’t they have already made all their mistakes? Isn’t the board, by definition, paying for people who have a very high chance of making good decisions?

> shouldn’t they have already made all their mistakes?

Is there some finite limit of mistakes that humans make over their lifetimes? In fact, it would be the opposite - those who are making more decisions are by definition likely to make more wrong decisions, as compared to someone who doesn't make as many decisions.

> Isn’t the board, by definition, paying for people who have a very high chance of making good decisions?

Yes, which is why the salaries for such positions are often so high.

> Yes, which is why the salaries for such positions are often so high.

The demonstrable lack of financial repercussions for failure, which you are arguing is justified in some cases, belie this causal relationship. I'd echo Taleb and sat that if an elite class is to be healthy, incompetence must swiftly and summarily result in expulsion.

They probably are doing some sort of critical service that can't be immediately stopped. That doesn't mean they will get contracts in the future or won't get legal action taken, but it takes time to review all that with the DOJ and decide how to proceed.

Remember the time Experian got hacked and the CEO subsequently retired with a $90M payday? The private sector is just as consequence-free.

Only politically connected companies, if you and I ran a business like that the outcome would have been different. The state has no problem going after small businesses.

The problem is that once you’re over a very low level all companies will be politically connected: those are jobs in someone’s district!

Yeah, no. If you only had to be a medium sized business owner to access that kind of corruption the world would be a much fairer place.

This is kind of tautological, because if you're keeping databases of this size you are necessarily not a small business

Who said the database needed to be of any particular size?

Experian got hacked? Or are you referring to Equifax? I thought Experian was one of the ones with better security.

If this is a subcontractor, it is the private sector.

I'd expect at least huge fine and re-evaluation of the whole contract (it could be they are unique provider that can not be replaced, but more likely there are other options). Looks like causing private data of hundred thousands of people to be stolen is regarded as a minor thing not worthy of real punishments.

Equifax is in the private sector.

> In the private sector, they'd have been fired and probably legal action levelled against them

Tell me again one meaningful action against a data leak in the private sector. I'll wait.

Don't you remember how Equifax was hacked into and their stock price briefly dropped? Then they were burdened with all those email addresses people entered to check their credit... And they had to pay the ultimate price by spamming those addresses constantly with advertisements, and that's not cheap!

And as a free service, I can now have them email me whenever my credit score changes, so I can log in and see that I fluctuate up and down 2 points routinely for "algorithm changes". Take that, Experian!

The issue in question isn't so much the breach, but the misuse of data by the subcontractor. I've personally witnessed people be fired for this, and know of lawsuits that exist for this specifically, and that's just at the company I work for...

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact