johnhiro007
asked on
Legal liability: Vendor allowed Google to index server remote access passwords!
Hello,
A client has a software vendor who exposed the client’s remote log in credentials to google! I'm looking to get peoples thoughts as to the severity of the risk created by this software vendor.
Here is the summary:
The client has a custom business application made by a software company, we will call them SWX, which has be installed and running for a number of years. During initial install, SWX required 24/7 administrative remote access to the clients server, as SWX has to log in remotely login often for ongoing support of their software.
Recently, SWX inadvertently exposed their own internal support database to the internet. Google was able to index their entire client database, which included ALL client remote access passwords and credentials, including VPN credentials, public IP addresses, protocols, everything! Looking at the dates of the information, it shows that this data was on google (for hackers to see) for at least 2 months!
Upon finding the information, of course we instantly changed passwords, shut down remote access, had google get that information off their search engine, scan for threats, etc.
But what we are left with is risk and liability. I feel SWX created massive risk for the client. There is no way the client can be assured that their system has no backdoor or that it is not compromised in some way, correct? That being the case, the only option the client has to address their current and future liability is to reinstall the operating systems and software on all machines (server and workstations) at the same time, correct?
The reason I am asking for opinions here, is because the clients legal team appears to be unsure of the severity of the SWX's breach from a technical perspective, and what kind of risk and liability SWX created. Therefore, I'm hoping to gather feedback for other IT minded folks, to support what I have been telling them (that this is the worst breach I have ever personally seen).
Therefore, if you can, please let me know:
1) What risk and liability did the software vendor create?
2) What is the technical response that should be done to address the risk/liability? (Should the systems be rebuilt?)
3) Is this a situation in which the client or their legal team should EASILY be able to get outside IT advisers/experts or IT companies to review the situation, and submit their expert opinion, and prove to the software vendor they should pay for a rebuild.
4) Can the software vendor be liable or responsible for more than the cost of the rebuild?
Thanks for all your help!
A client has a software vendor who exposed the client’s remote log in credentials to google! I'm looking to get peoples thoughts as to the severity of the risk created by this software vendor.
Here is the summary:
The client has a custom business application made by a software company, we will call them SWX, which has be installed and running for a number of years. During initial install, SWX required 24/7 administrative remote access to the clients server, as SWX has to log in remotely login often for ongoing support of their software.
Recently, SWX inadvertently exposed their own internal support database to the internet. Google was able to index their entire client database, which included ALL client remote access passwords and credentials, including VPN credentials, public IP addresses, protocols, everything! Looking at the dates of the information, it shows that this data was on google (for hackers to see) for at least 2 months!
Upon finding the information, of course we instantly changed passwords, shut down remote access, had google get that information off their search engine, scan for threats, etc.
But what we are left with is risk and liability. I feel SWX created massive risk for the client. There is no way the client can be assured that their system has no backdoor or that it is not compromised in some way, correct? That being the case, the only option the client has to address their current and future liability is to reinstall the operating systems and software on all machines (server and workstations) at the same time, correct?
The reason I am asking for opinions here, is because the clients legal team appears to be unsure of the severity of the SWX's breach from a technical perspective, and what kind of risk and liability SWX created. Therefore, I'm hoping to gather feedback for other IT minded folks, to support what I have been telling them (that this is the worst breach I have ever personally seen).
Therefore, if you can, please let me know:
1) What risk and liability did the software vendor create?
2) What is the technical response that should be done to address the risk/liability? (Should the systems be rebuilt?)
3) Is this a situation in which the client or their legal team should EASILY be able to get outside IT advisers/experts or IT companies to review the situation, and submit their expert opinion, and prove to the software vendor they should pay for a rebuild.
4) Can the software vendor be liable or responsible for more than the cost of the rebuild?
Thanks for all your help!
ASKER
Hi,
I'm looking for responses from the technical aspects of the situation. I understand that ultimately it is legal, but the legal is based largely on the technical. Just pretend you are brought in as an expert IT witness, and asked to comment on the case (based off the information given above)...
Thanks!
I'm looking for responses from the technical aspects of the situation. I understand that ultimately it is legal, but the legal is based largely on the technical. Just pretend you are brought in as an expert IT witness, and asked to comment on the case (based off the information given above)...
Thanks!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi,
Thanks for your response! In review, or to summarize this whole situation, is basically the fact that SWX created an undisputed risk for the client, enough to require a rebuild? I say undisputed, because SWX admits fault in leaking credentials to google.
SWX is will likely request proof that the clients system was 'actually' hacked, and that their leaked credentials were used. But, there is no reason to have to prove any actual breach, since the fact is, it is impossible to guarantee to the client that no back doors could have been installed?
I'm just trying to simplify this whole case, and see if the focus can stop at the risk created and the recommendation by IT experts is for a rebuild. Hopefully, the client does not have to get into forensics, logs, etc, etc. What is your thoughts on the risk and action based on the google leak only?
Thanks!
Thanks for your response! In review, or to summarize this whole situation, is basically the fact that SWX created an undisputed risk for the client, enough to require a rebuild? I say undisputed, because SWX admits fault in leaking credentials to google.
SWX is will likely request proof that the clients system was 'actually' hacked, and that their leaked credentials were used. But, there is no reason to have to prove any actual breach, since the fact is, it is impossible to guarantee to the client that no back doors could have been installed?
I'm just trying to simplify this whole case, and see if the focus can stop at the risk created and the recommendation by IT experts is for a rebuild. Hopefully, the client does not have to get into forensics, logs, etc, etc. What is your thoughts on the risk and action based on the google leak only?
Thanks!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
To all four questions - this really is a case for a solicitor, even within the US different states have different laws regarding consumer data breaches and what does the contract between the two of you state.
I am not a forensics expert either. But from the sound of it I would guess you will need one. The potential monetary loss is extreme, and this should be the focus of any forensic calculations. We generally figure this out on a lost work hours basis (note that this can be fairly extensive since one person's loss of one hour's worth of work can exponentially affect others).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I just noticed that this question was asked last November! Is it still even relevant !?? How did it just pop up as a new question?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok, Thanks.
I would be curious though how it was exposed specifically.