There are three interesting things for CSOs to think about in this story on a leak of passport and other personal information on tens of thousands of people:
- If you are going to use Infrastructure as a Service providers like Amazon, make sure that the people using them take the time to learn about and use the security features. Amazon provides the means to store data securely and has a wealth of documentation on security best practices. Having a breach due to an improperly configured S3 bucket is amateur hour, folks.
- When acquiring new companies, especially small ones, security due diligence needs to be job one. Finding out where sensitive information is stored and how it is protected is a must.
- Know your third parties (and those of your acquisitions) – FedEx blamed the breach on an un-named third party. Remember – you can outsource the function, but you cannot outsource responsibility for security. When doing an acquisition, look at the list of every vendor that the target company pays and figure out which ones might be holding data.
I have been through the acquisition process a few times in the past ten years – identifying show stopper issues during due diligence is important, but it is vital to keep the process going after the deal is done. The more you dig into the security of the acquired firm, the more “interesting” security issues you will find.