9 comments

[ 2.9 ms ] story [ 30.9 ms ] thread
Over 1.1 Million possibly affected and they dump this just before the holidays when people are not paying attention. It's beyond time there were actual penalties for this kind negligence.
Yes, let's wait until after the holidays so at least 1 month has passed before we publicize the breach, that will surely get the consumers to understand where we're coming from.

I would like to hire you as VP of Public Relations for my company.

Any idea what could possibly help prevent these sorts of things in the future? Could some runtime encryption like Intel SGX or Fortanix help?

(Disclaimer: no ownership in either)

IMO the answer is not technical but legislated responsibility and appropriate penalties. If there was any sort of downside to collecting and insecurely storing all this data the problem would be self-correcting
Put a statutory value on info, and a huge breach bankrupts you, so you seek insurance. The insurers want money, not risk, so they due the living hell out of your diligence. As you said, if it’s done right it’s self-correcting.

BUT... do it wrong and business will adapt in malignant ways, like folding and restarting, or spinning off the liability.

Another breach. Credit where credit is due, they haven’t done too badly with the announcement, but there are some key facts that people would like to know that they unfortunately haven’t mentioned.

* They became aware of it Dec 11th – do they have an estimate of when this occurred?

* They mention what types of information has likely been affected, yet for some reason they mention “no payment details have been breached” right at the end of the Q&A? I’d have expected that to be much higher up the announcement.

* Not needed in the general announcement, but knowing how is always a point of interest (that may just be me, being in the business) – third party? SQLi? etc.

* How did they become aware of this? Did they discover this internally? Or did an outsider give them the heads up.

I’d like to think that one day, that last question can be answered by my startup[0], detecting breaches with a high degree of confidence with pseudo/honey users.

[0] https://breachinsider.com

Judging from the data that was released, it looks like their credit origination system was compromised.
> customer name, address, vehicle make and model, vehicle identification number (VIN), credit score, loan amount and monthly payment

If that turns out to really be the only affected info, does this actually have identity theft implications? It compromises access to NCF accounts, I suppose, but while there's some info that would normally be private (loan amounts, credit score), I don't see any truly sensitive info here. Notably, no SIN, work info, income amounts, or other things you'd expect on a credit application.

Basically, as of now it looks like the post-approval payment tracking system got breached, not the actual approval system.