Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
OPM Data Breach Lawsuit Tossed, Fed Plaintiffs will Appeal
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
9/21/2017 | 9:40:34 AM
Interesting
Workers cannot sue because of a data breach.  Read that: PEOPLE cannot sue over a data breach - Equifax.  This could have enormous legal consequences - something to watch.  (Lawyers love this stuff).
tim77
50%
50%
tim77,
User Rank: Apprentice
9/21/2017 | 12:25:18 PM
Information vs Money
Why should one have to prove they are damaged by having their information stolen? If a thief steals your money you don't have to prove they spent it only that they stole it. Information should be treated in the same manner!
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
9/21/2017 | 12:41:35 PM
Re: Information vs Money
Good point - information theft is invisible if compared to car or money theft.  If a thief breaks into your home, that is a robbery.  If a thief steals a garden hose outside, that is theft.  There is a difference.  Information is invisible of course but if you went to your ATM and instead of seeing $33,202 in savings and there is $-29.33 there, I would think legal recourse has to be taken somewhere.  A thief broke INTO SOMETHING to get your data.  The thief did NOT RETRIEVE YOUR ATM CARD from the street.  Same difference.  

The answer to your question is WHO was guarding the vault?  Who has responsibility for the vault?  If i leave my house wide open with a sign saying MONEY IN HERE, then I am clearly at fault.  Same with Experian to a degree.
gwilson001
50%
50%
gwilson001,
User Rank: Strategist
9/21/2017 | 2:06:00 PM
Re: Interesting
That is the underlying threat here - a precedent that Equifax will surely jump on to ward off the class action suits against them.  This was a shortsighted decision by a Judge that clearly does not understand the problem or the the impact this stupid decision will have on millions of victims of the Equifax and other future data thefts.

This is a common probelm, the judiciary does not understand technology and they consequently make idiotic rulings based on that lack of understanding.  This could let Equifax off the hook as far as civil actions are concerned.  unfortunate because Equifax should not be allowed to continue as a business - they cannot be trusted with sensitive data we have not given them explicit permission to aggreagate and store.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
9/22/2017 | 8:28:02 AM
Based on outcome
I understand that this judgement was made based on the lack of evidence that attackers maliciously used the data in question but is there a statute of limitation for instances like this?
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
9/22/2017 | 2:39:41 PM
Re: Based on outcome
There is also a time-value on WHEN an attacker decides to use that stolen Mastercard number of SS number is there not?  An actor may wait weeks or months or have to dig through the 143 million stolen from Equifax before action is indeed taken.  Theft is theft - and break-in is theft writ large.  This is quite a legal tangle!!!  Kinda like stealing a car out of a driveway without breaking the window but parking it around the block until, oh, one night when it is sold for parts!!!  When IS the criminal act perfrmed?  
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/25/2017 | 11:33:37 AM
Strange
The workers won't be able to sue because they cannot show the stolen data has been used by attackers This is new for me, so breach can happen but if data is not used that would not be consider an issue. Interesting.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/25/2017 | 11:34:55 AM
Re: Interesting
Lawyers love this stuff Yes, it does not make sense and confuses the public, that would help lawyers.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/25/2017 | 11:36:09 AM
Re: Information vs Money
If a thief steals your money you don't have to prove they spent it only that they stole it. That makes sense, I wonder where the judge is coming from. Very strange decision.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/25/2017 | 11:38:51 AM
Re: Information vs Money
information theft is invisible if compared to car or money theft That makes sense however data/information is value to the owners of that, and stolen so there should be consequence on that.
Page 1 / 2   >   >>


Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27605
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox."
CVE-2020-27606
PUBLISHED: 2020-10-21
BigBlueButton before 2.2.8 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
CVE-2020-27607
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or tr...
CVE-2020-27608
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.
CVE-2020-27609
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant.