Tags:



IS breach repercussions
April 1, 2009 8:50 AM   RSS feed for this thread Subscribe

A former employer (left under good terms) has had an information security breach.

I mainly did their web site, "light" IT work, copywriting/design/marketing, and "misc." I had admin privileges and set up systems because I was the only one who knew computer stuff. Complicating things, I have done (a very small amount of) web-related consulting for them since leaving, with no contract, and was the one who reported the breach, found while doing a job. They had a consultant from the hosting firm look at it, and the breach goes back a while, to just before my end date. They don't think I did anything intentionally and are still giving me work, but reportedly the consultant who looked at the system said very negative things about my competence and that I may have left a hole open. I don't know what I did yet and don't know when details will be forthcoming. My former employer doesn't seem mad about it yet, but they also don't know any details. Very small company, no written IS policy, no other sysadmin, and none since I left.

I am relatively inexperienced, both in security and in my career overall. I had a lot of responsibility at this company... maybe more than I should have. How worried should I be, and about what? Right now I am not sleeping well. They might have to notify clients, etc. Could a mistake like this be considered negligence in a legal sense, or is it something someone would normally just be reprimanded or fired for? Should I try to ask questions and get resolution, or wait to be contacted?
posted by anonymous to computers & internet (13 comments total)
They don't sound like they are too worried about it - especially if they are still giving you work. From the sounds of it, they got you to set up the system because they were already paying you and it was cheaper for them than getting someone else.

The hosting firm is always going to try to point the finger of blame somewhere else if they can, and in this case they can point it at you. But, realistically, it is pretty impossible to be on top of every security issue and it doesn't sound like that was ever your role.

Don't worry about it too much. I understand it's difficult not to think about, but really the responsibility lies with the company who hired you. I'd wait and sit things out, and not fret over it, as really at this stage it is not even clear that what occurred was the result of your work. Plus, if the company are still giving you work then they hardly feel it is too serious or that you were majorly at fault.
posted by Elmore at 9:06 AM on April 1


I doubt you have anything to worry about. It sounds like you did the work you were asked to do in good faith and to the best of your abilities, so there's likely no grounds for negligence (IANAL). What is more likely is that the consultant (historically and appropriately-here also referred to as "insultant") is tooting their own horn, extrapolating that because -- and I'm assuming here -- that if some vulnerability is documented somewhere then you "left it open." Reality is hardly that cut and dried, and the consultant is just trying to make themselves look good by denigrating you. It doesn't sound like the company is necessarily falling for this, but don't let it get you into a battle with the consultant. These errors happen all the time.

As to your second paragraph, the typical response here is to close the hole and get on with business, notifying clients if necessary, but likely not pinning it on you. I wouldn't worry about them saying, "I'm sorry, but we had an INCOMPETENT employee named "JOE BLOW," who lives in "YOUR TOWN, USA" who BROKE our site ON PURPOSE." To repeat, it doesn't sound like you did anything actionable.
posted by rhizome at 9:14 AM on April 1 [1 favorite]


If this was a large company, you would have to worry since somebody higher up than you would go "oh shit...this is technically my fault. I need to make some heads roll so mine doesn't." It obviously isn't the case since its a small company.

I'm guessing you can sit down with the bigwig and have a face to face talk. <>
I think you're more of a hero than anything since you pointed out a hole that would have NOT been noticed had you not been there.

Don't worry about it, get some sleep, and you're golden.

Good luck.
posted by hal_c_on at 9:15 AM on April 1


If the company is still giving you work, talk to the person who gave you the work most recently, saying something like "gee, I'd like to know what happened so I can prevent it from happening again in future work I do myself or that I'm closely related to"
posted by DreamerFi at 9:25 AM on April 1


How worried should I be, and about what? Right now I am not sleeping well.

I'm not a legal expert but from what I know you shouldn't be losing sleep over it. Even in an extreme case, such as if a car manufacturer sells a car with a flaw that causes the brakes to go out, the company has to pay for a recall or settle lawsuits but the individual employee is protected from liability (any lawyers feel free to correct me on that). If the problem has already been fixed and you're still getting work, it doesn't sound like they are going to hold it against you and avoid using your services in the future.

Also, don't worry too much about the consultant's comments. As you said, you don't have too much experience so of course there are going to be some things that you did wrong. In my opinion it's unprofessional for someone to badmouth other technical experts when talking to management, so if I were him I would have just said that there was something wrong with the configuration and left it at that.
posted by burnmp3s at 9:52 AM on April 1


In my opinion it's unprofessional for someone to badmouth other technical experts when talking to management

Yes, but in the world of insultants this is de rigeur. If the consultant can convince management that their own staff is incompetent, management will perceive a greater need to rely on the consultant's services.
posted by rhizome at 10:02 AM on April 1 [1 favorite]


In my opinion it's unprofessional for someone to badmouth other technical experts when talking to management

I agree with rhizome, I wouldn't worry about this at all. If you don't have a scope of services or any sort of master agreement, you're golden. They were probably asking you to do all sorts of things, right? If they wanted someone who would catch this sort of thing they'd hire someone more qualified at the higher price. They can't so they have you. That's not an insult, but look at Metafilter's recent troubles. Yeah if they had a team of database people on the payroll it wouldn't have been a problem. They don't, problem comes up and they fix it. That's how small business run.
posted by geoff. at 10:19 AM on April 1


How much money is involved? That's the real issue, it seems to me. If there's a lot of money involved, it's probably worth a quick legal consult just to make sure your ass is covered.
posted by paultopia at 10:24 AM on April 1


Unless you did something like set the admin password to your mail server to "password", I wouldn't worry about it at all. IT security consultants are almost always aggressive and only slightly less condescending toward other IT people than they are against end users, mainly as a means to scare up more business. He's probably, as we speak, writing up a proposal to do a "thorough security audit of all systems".

If you are going to continue to be a freelancer, though, consider incorporating. If you ever did something while under contract that was actionable against you, you'd want some protection.
posted by mkultra at 10:40 AM on April 1 [1 favorite]


Okay, you were doing copywriting amongst your IT duties? And there were no written policies? Perhaps an IT executive or manager in a large company would bear responsibility for ensuring the security of private data in the absence of a job description involving it or specific direction to do so but not anyone in your situation.

IANAL but as far as I'm concerned, in a small business that's handling private data the buck stops with the proprietor / LLC member-agent / etc. or whoever's in charge. If you weren't the person whose responsibility it would've been to write the privacy or data security policies you are in no way culpable for the consequences of such policies not being in place - much less at fault for not following non-existent policies!

Take it back to pre-computing days: if paper files with personal data in them were stolen because there was no lock on the front door nor on the filing cabinet, you wouldn't fault the filing clerk or the carpenter who built the filing cabinet or the building's landlord. You would fault the small business owner who didn't get locks installed and arrange security measures when he knew his company was responsible for safeguarding his customers' information. That's true even if the owner doesn't personally know exactly how to do that / isn't a locksmith or an IT guy.
posted by XMLicious at 10:52 AM on April 1 [1 favorite]


but reportedly the consultant who looked at the system said very negative things about my competence and that I may have left a hole open.

There's no shortage of consultants who make shit up or overemphasis an edge case to justify their fees and to sell the client on the idea of fear. Without specifics its impossible to judge the claim.

I am relatively inexperienced, both in security and in my career overall.

This is why they have no right to be mad at you. They could have paid a fair wage for an experienced admin, but took the cheap route by having the web guy handle everything.
posted by damn dirty ape at 10:58 AM on April 1


IANAL, but if they had asked you to help build a house, and someone broke in via a window, you would hardly be liable, woudl you? They put bars on the broken window and move on.

All security is relative. Unless you provided a guarantee that no one could break in, then no one would suppose that you are responsible for providing 100% security after you left.
posted by musofire at 11:14 AM on April 1 [1 favorite]


Especially since this is a _hosting company_ consultant I wouldn't worry about it too much. They are most likely trying to cover their ass. Sure, you could have made a few mistakes leaving some points of entry open, but with a job description as wide as that who wouldn't? The real test is if they keep giving you work ... they must trust your competency.
posted by shownomercy at 12:58 PM on April 1


« Older Has anyone ever exercised and/...   |   I am woken up each and every n... Newer »

You are not logged in, either login or create an account to post comments