Hacking danger for outsourced records hard to gauge

San Francisco Chronicle ^ | March 28, 2004 | Carrie Kirby

[sarcasm]

Ankit Fadia, an 18-year-old freelance security tester, has successfully broken into more than a dozen computer networks in India. But the Stanford freshman really doesn't think that's much of an accomplishment.

"As far as computer security is concerned, India is really bad,'' said Fadia, who published three books about computer security before leaving his native India. "Security is not a high priority for Indian companies."

[sarcasm]

ping

[expatguy]

bump

[dennisw]

wunnerful!

[Dallas59]

If my name is Joe Smoe...and thousnads of ID bandits from around the world start charging crap on my bill that reaches into the millions of $....Would my government help me?

[Doohickey]

Interesting. I'm no fan of offshoring, but for a lot of small American companies this probably constitues a security upgrade.

I know of a law office here in the in the U.S. whose entire network is completely open to the internet, completely unencumbered by firewalls or security of any sort aside from simple passwords. It took months and a few viruses to convince them that anti-virus software may be a good idea.

[kms61]

There's a major law firm in New Orleans that just declared bankruptcy when its office manager was caught skimming the payroll tax. He'd been doing it four four years to the tune of $1.4 million. Apparently accounting controls and external audits were a foreign concept to these guys.

A lot of lawyers don't have a very good head for business...

[Doohickey]

"foreign" concept. I get it. hehe he he hehe. :)

A little off topic, but if companies handling private information are going to have to disclose if they are using offshore labor (which I favor), they should also be required to produce a security certification if they posess even one internet-connected computer.

[angkor]

I know of a law office here in the in the U.S. whose entire network is completely open to the internet,

I've seen a VP Of Marketing with his entire hard drive shared to Everyone, with employee reviews, salaries, strategic plans available for all to see.

And many academic networks overseas with no firewalls of any kind, running SNMP, and the entire network and its configuration were available to the world 7x24x365.

The security of non-American networks is questionable at best, though there's a slight misdirection in this article: outsourced health care information is not protected under HIPAA regs, so we as health care customers must rely on the outsource processor (in India or the Phillipines or wherever) to protect that data under the laws of their home country, and in most cases those laws are zilch.

[angkor]

they should also be required to produce a security certification if they posess even one internet-connected computer.

Agreed. And the U.S. company sending that data overseas should be required to show that their vendor is in compliance with some sort of computer security standard. It most certainly should not be vague and voluntary, as is the case with all data shipped overseas under HIPAA regs (which specifically DOES NOT require any specific privacy controls by the outsourcing vendor).

[First_Salute]

New Bill Gates reality TV show

The Outsourcer's Apprentice

[independentmind]

And the U.S. company sending that data overseas should be required to show that their vendor is in compliance with some sort of computer security standard.

What you are talking about is increasing regulation. Compliance costs of such regulation is precisely what U.S. businesses are trying to escape when they outsource.

Could it be that regulation is not always bad and that government actually serves a useful purpose?

[independentmind]

costs is are

[DustyMoment]

"Hacking danger for outsourced records hard to gauge"

Gee, no sh*t! And, this is a surprise to whom?

[neutrino]

Thanks for the ping!

I wonder - how much information could terrorist organizations harvest this way? Does anyone know? Does anyone care? Must we have another 9/11 (or worse) to realize the danger we're accepting in exchange for cheap trinkets?

If you want on or off my offshoring ping list, please FReepmail me!

[angkor]

What you are talking about is increasing regulation.

I'm talking about applying the existing privacy and protection regulations to outsourced data as are currently applied to domestic data via HIPAA and Gramm-Leach-Bliley.

However you want to read it, HIPAA provides a very specific escape mechanism for those who outsource protected medical data (either domestically or offshore, though in practice this data is going offshore).

[independentmind]

I don't usually pick nits, but I will in this case. There is very little difference between extending regulation to an area previously not covered and increasing regulation. The salient point to the businesses affected is that they will have increased compliance costs--the escaping of which is precisely what U.S. companies are using as one of the justifications for outsourcing.

[angkor]

Of course the cost of compliance would be higher.

It's a big shell game: pass GLB and HIPAA in the U.S., call it "consumer protection." Then fire the domestic U.S. staff which processed this data (and which was subject to the regs), and send it offshore where the privacy and protection regs are weakened or nonexistant.

Most importantly, do not under any circumastances tell the U.S. consumer what's being done with their private financial and health data.

[international american]

Bank of America and Citibank have already had their customers accounts stolen in India