Some folks may recall my anger on August 18 over a vendor who wasn't responding to alerts about exposing their clients' data.

pogowasright@infosec.exchange

Some folks may recall my anger on August 18 over a vendor who wasn't responding to alerts about exposing their clients' data. The data included court files or records that were confidential or even sealed. At the time, researchers had discovered two entities that were exposed. They subsequently discovered more.

Yesterday, the vendor -- who had even ignored a call from the FBI -- finally secured one of the two after the client finally reached them on the phone.

The vendor told them they had fixed the problem. But did they?

[SPOILER ALERT: No.]

You won't believe what happened next, or maybe you will, but you'll have to stay tuned for this story, which has now gotten astronomically bigger because not only were the data still not secured but the vendor -- after claiming that the researchers had used hacking techniques to access unsecured data -- inexplicably sent the client a list of ALL of vendor's clients with their technical details AND ALL OF THEIR LOGIN CREDENTIALS.

[WTF!?]

I have never been as tempted to issue an actual press release warning all entities about a specific vendor, but... wow.

Stay tuned. Eventually, I will write this all up, but first, I want to hear what the client's lawyers and insurers decide to do to hold the vendor accountable.

(August 18 post: https://infosec.exchange/deck/@PogoWasRight/115033245331860859)

#databreach #dataleak #incidentresponse #incidentmanagement #thirdparty #vendor #accountability

@zackwhittaker @aj_vicens @politico