"In the wrong hands" they say
It will get into the wrong hands and identity fraud will be committed, that's how getting pwned works.
And from the quoted text it seems they couldn't even cough up for a year's worth of Experian fraud monitoring.
The bad news keeps on rolling for British recruitment agency Morgan Hunt amid confirmation it suffered a digital burglary, with intruders making off with the personal data for some of the freelancers on its books. In a letter to contractors, Morgan Hunt – which provides personnel services to clients in the charity education, …
@Dan 555
All that seems to happen is the crooks wait for about a year or so before doing anything with the knocked off data.
As for Experian? Well, I suppose they should be familiar with dealing with the fallout from a break-in. They have history with that situation...
As a person that has been dropped from several contracts over the years in favour of dirt cheap overseas outsourcing, and then hired back when they fuck up, I'd be very curious to know where this "third party" dev is located.
UK Business Leaders...yes, local talent is significantly more expensive than overseas talent...but that doesn't make hiring local talent bad value for money...on the contrary. Value for money comes from what you get for the money, not how much money you can save by getting what you perceive to be the "same service".
"Value for money comes from what you get for the money, not how much money you can save by getting what you perceive to be the "same service".
Going back 40 years I had a product manufactured by a company in Milton Keyes. The buyer there - to protect the innocent let's call him Duncan Hunter - decided that he could replace an integrated circuit with one that was about 5p cheaper than the one that was specified in the parts list. He never told anybody what he'd done. It wasn't helped by the fact that a guy in the testing department - to further protect the innocent let's call him Roger Kirby - decided to ignore not only the fact that the part wasn't the one that was specified but also the test specifications, which would have made it obvious that it wasn't going to work reliably if they'd actually been followed as per the contract. Long story short, a couple of people had to spend a fortune flying four thousand miles and staying for a month in a hotel so they could rectify 1600 of the friggin' things in the basement at the customer's Chicago headquarters.
I would have thought risk is quite high.
Data stolen included identity documents (so potentially scans of driving licence or passport), bank statements (acc no, sort code, account name, some transactions for those bank security questions you often get asked e.g. describe your regular direct debits), NI number.
All of those are very useful in identity fraud. Next level usefulness compared to just address etc.
Quote from the article: "identity documents, proof of address documents (including any bank or building society statement provided)"
Why is that data even kept online? You would expect they only need that once, when they start working with somebody. Keeping it offline, possibly as hard copy in a filing cabinet would make it much easier to protect the data. Would cost a little more in storage and clerical expenses, but would make data protection compliance easier and cheaper, and would probably reduce ICO fines and legal hassle from folk whose PPI has been leaked.
Or does even thinking of that make me an old fossil?
The supposed experts like SolarWinds cannot even protect their own stuff. It's akin to the burglar alarm company being burgled, or the fire station burning down. Anti-virus/malware is just a catch up game (don't mention so-called "heuristics", they have to be updated too, i.e. catch up with what is actually happening).
Most end users do not know about computer security. That "most" is probably about 90%+ of users. That's fine - I'm not a dentist and don't know the ins and outs of teeth, I only know if I have a toothache I have to go to the dentist. A lot of users think "I have anti virus, I am protected" or even worse is the conceited "I'm using Linux so I don't have to worry so much". Even large organisations with full time IT staff don't always keep their guard up, or they misconfigure something, or some code has a security bug in it.
All of this added up means a computer + network = insecurity.
Back in the day, files like this would have been kept on paper, and Bob the Burglar would have to break in or have somebody on the inside to get these files. Not now.
How many times do we keep needing to read about computers + a security compromise? It's not going to stop. It's not just a matter of updating your OS + apps + AV + firewalls. Computer + network should be considered insecure (now or eventually).
or some code has a security bug in it.
"How many applications do we run that are susceptible to log4j?"
"Don't ask me[0], ask the developers at the various software suppliers."
[0] I'm supposed to install the applications and keep an eye on their performance, not even installing and configuring WebLogic itself. And networking are the ones in charge of the firewalls.