Solved

Legal liability: Vendor allowed Google to index server remote access passwords!

Posted on 2013-11-27
12
82 Views
Last Modified: 2015-02-08
Hello,

A client has a software vendor who exposed the client’s remote log in credentials to google!  I'm looking to get peoples thoughts as to the severity of the risk created by this software vendor.

Here is the summary:

The client has a custom business application made by a software company, we will call them SWX, which has be installed and running for a number of years.  During initial install, SWX required 24/7 administrative remote access to the clients server, as SWX has to log in remotely login often for ongoing support of their software.

Recently, SWX inadvertently exposed their own internal support database to the internet.  Google was able to index their entire client database, which included ALL client remote access passwords and credentials, including VPN credentials, public IP addresses,  protocols, everything!  Looking at the dates of the information, it shows that this data was on google (for hackers to see) for at least 2 months!  

Upon finding the information, of course we instantly changed passwords, shut down remote access, had google get that information off their search engine, scan for threats, etc.

But what we are left with is risk and liability.  I feel SWX created massive risk for the client.  There is no way the client can be assured that their system has no backdoor or that it is not compromised in some way, correct?  That being the case, the only option the client has to address their current and future liability is to reinstall the operating systems and software on all machines (server and workstations) at the same time, correct?

The reason I am asking for opinions here, is because the clients legal team appears to be unsure of the severity of the SWX's breach from a technical perspective, and what kind of risk and liability SWX created.  Therefore, I'm hoping to gather feedback for other IT minded folks, to support what I have been telling them (that this is the worst breach I have ever personally seen).  

Therefore, if you can, please let me know:
1) What risk and liability did the software vendor create?
2) What is the technical response that should be done to address the risk/liability? (Should the systems be rebuilt?)
3) Is this a situation in which the client or their legal team should EASILY be able to get outside IT advisers/experts or IT companies to review the situation, and submit their expert opinion, and prove to the software vendor they should pay for a rebuild.
4) Can the software vendor be liable or responsible for more than the cost of the rebuild?

Thanks for all your help!
0
Comment
Question by:johnhiro007
  • 3
  • 2
  • 2
  • +5
12 Comments
 
LVL 6

Expert Comment

by:donnk
ID: 39684870
this is a legal rather than technical question.

I would be curious though how it was exposed specifically.
0
 

Author Comment

by:johnhiro007
ID: 39686058
Hi,

I'm looking for responses from the technical aspects of the situation.  I understand that ultimately it is legal, but the legal is based largely on the technical.  Just pretend you are brought in as an expert IT witness, and asked to comment on the case (based off the information given above)...

Thanks!
0
 
LVL 20

Assisted Solution

by:masnrock
masnrock earned 100 total points
ID: 39687280
I'm not answering quite in the style you want, since i'm not a forensics expert, but enough to get you going in the right direction.

1) What risk and liability did the software vendor create?
Unauthorized access by any party, loss of security of the database and/or system, as well as a huge security hole. Additionally, potential loss of revenue and customers.

2) What is the technical response that should be done to address the risk/liability? (Should the systems be rebuilt?)
First off, changing all of the passwords related to the system. Also, there needs to be a validation of the system's security and integrity, as well as the data's integrity. Being as not all of the risks created can just be removed, a rebuild of the whole system would be recommended.

3) Is this a situation in which the client or their legal team should EASILY be able to get outside IT advisers/experts or IT companies to review the situation, and submit their expert opinion, and prove to the software vendor they should pay for a rebuild.
You will need someone involved in computer forensics to strengthen your case. You'll need to show whether or not the logs have been tainted, and if so, by whom. The more detail you can obtain detailing negligence on the part of the software vendor, the stronger your case will become. But to CYA, you will also need to make sure that risks were not already there from the actions of others.

4) Can the software vendor be liable or responsible for more than the cost of the rebuild?
Presumably so. Numbers can be assessed to damages caused by their actions, such as unauthorized access and removal of information. That causes potential problems with customers, etc. Also try to computer an estimated loss of revenue due to the incident as well.
0
 

Author Comment

by:johnhiro007
ID: 39730939
Hi,

Thanks for your response!  In review, or to summarize this whole situation, is basically the fact that SWX created an undisputed risk for the client, enough to require a rebuild?  I say undisputed, because SWX admits fault in leaking credentials to google.  

SWX is will likely request proof that the clients system was 'actually' hacked, and that their leaked credentials were used.  But, there is no reason to have to prove any actual breach, since the fact is, it is impossible to guarantee to the client that no back doors could have been installed?

I'm just trying to simplify this whole case, and see if the focus can stop at the risk created and the recommendation by IT experts is for a rebuild.   Hopefully,  the client does not have to get into forensics, logs, etc, etc.  What is your thoughts on the risk and action based on the google leak only?

Thanks!
0
 
LVL 20

Assisted Solution

by:masnrock
masnrock earned 100 total points
ID: 40337650
The Google leak by itself shows that SWX create a huge security risk that nobody can deny. However, without logs or forensic evidence, there is no way to show that someone actually accessed the system in an unauthorized manner, unless you decide to check the system for backdoors, in which case I'd still say get a forensics expert.

I would make sure that all passwords are changed, and would highly recommend to rebuild the system and work on making sure that the data is clean. (Given that it was their screw up, you have the leverage to squeeze this out of them in exchange for remaining one of their clients)

A breach would be extremely difficult to prove, but did SWX take any steps to mitigate the issue? At least they did acknowledge that they are at fault. If anything, they should be offering their clients a lot of goodwill in order to prevent them from leaving, in addition to changing a number of internal procedures. Since you have record of them admitting fault, keep all records just in case a breach can be proven in the future.

Sometimes the sheer threat of legal actions and/or switching to another vendor is more than enough to scare them.
0
 
LVL 58

Expert Comment

by:Gary
ID: 40337651
To all four questions - this really is a case for a solicitor, even within the US different states have different laws regarding consumer data breaches and what does the contract between the two of you state.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 40337665
I am not a forensics expert either.  But from the sound of it I would guess you will need one.  The potential monetary loss is extreme, and this should be the focus of any forensic calculations.  We generally figure this out on a lost work hours basis (note that this can be fairly extensive since one person's loss of one hour's worth of work can exponentially affect others).
0
 
LVL 42

Accepted Solution

by:
Davis McCarn earned 150 total points
ID: 40337732
1) I am a forensics expert with over 30 years of experience (though, admittedly, something of a rogue in today's world as I use unconventional methods).
2) The crux of any civil action is the damages sustained and proving the loss can be troublesome.  If that loss is due to negligence, most often the award is tripled depending on the state.
3) Get a copy of Microsoft's Windows Defender Offline ( http://windows.microsoft.com/en-us/windows/what-is-windows-defender-offline ) and run it on every PC they have.  If it finds anything, do not fix it; but, rather document what it found and, if possible, where.
4)  If Defender finds a positive, either clone that PC's hard drive using a sector by sector utility, or shut it down and hire an expert.

Hanging user credentials out on the web is a pretty serious issue and having the contactor admit to it could make it an open-and-shut matter.  The legal issues involve whether they have the money to "pay up" and whether their negligence was causative in the breach.

If this even touches HIPAA, they could be in much deeper kimchi!
0
 
LVL 28

Assisted Solution

by:mikebernhardt
mikebernhardt earned 100 total points
ID: 40337761
I disagree with some of the other opinions above: My personal opinion is that there is no requirement that the organization prove it was actually breached in order for SWX to be liable for the costs involved in making that determination and cleaning it up as required. Note how Adobe, Target, and others gave free credit protection services to people whose personal information was compromised, without requiring individuals to first prove that it was actually used.

But I would certainly be consulting an attorney who specializes in these types of cases about what proof is required, or not required, to demonstrate the level of financial support is needed. There are attorneys who are very proficient in these issues both legal and technical, and they are your best source for direction.  

A team dedicated to investigating breaches- not just a forensics person- should be be brought in at SWX expense to make the call as to whether a complete rebuild is needed or whether they got lucky and closing the holes is enough. That attorney will have some names.
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 40337799
I just noticed that this question was asked last November! Is it still even relevant !?? How did it just pop up as a new question?
0
 
LVL 47

Assisted Solution

by:dlethe
dlethe earned 150 total points
ID: 40339239
The correct course of action is to immediately contact an IP attorney.  (One who specializes in intellectual property law).   He/she will advise you.  No matter what, you have damages. There will be a cost associated with locking things down and changing passwords.  

I don't know where you are located, but if you are in the Dallas area, then I suggest my IP attorney, http://www.carrip.com
(They handled several things for me, from NDAs, my patent & trademarks, patent infringement, and litigation regarding  work for hire and damages)

Certainly use somebody locally, I'm just throwing them out there because since you didn't mention that from the beginning, and went to EE instead of an IP attorney from the beginning ... i expect you just aren't up on getting help from lawyers when you need it.

Any decent IP attorney would have answered your questions from the beginning, and wouldn't need help from EE users on the technical aspects.
0
 

Author Comment

by:johnhiro007
ID: 40597486
Ok, Thanks.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Notifications on Experts Exchange help you keep track of your activity and updates in one place. Watch this video to learn how to use them on the site to quickly access the content that matters to you.
Saved searches can save you time by quickly referencing commonly searched terms on any topic. Whether you are looking for questions you can answer or hoping to learn about a specific issue, a saved search can help you get the most out of your time o…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now