What's been your company's biggest security leak?

security

These aren't my company's leaks, but, leaks that I would consider somewhat significant:

  • Third-party credit card processors maintaining username/password/hostnames in the clear so that when they're hacked, dozens of hosting providers need to restore backups.

  • Large national chain stores that have no business storing credit card numbers, having those card numbers stolen.

  • Government employees/contractors having detailed personal information on a laptop that was conveniently lost prior to the purchase of a larger house or boat.

  • Facebook application developers using third party ad systems without sanitizing the data first. Even though the graph token is only valid for 7200-8800 seconds, it is enough to grab data from Facebook and post to that user's wall. Kudos to application developers that have asked for extended permissions.

  • Selling government data to foreign governments for 25 years before the very agency that looks for this sort of thing figured it out.

  • Credit card processors that feel the need to not follow the very same restrictions that they place on merchants, then, due to the threat of the business having to pay, having Visa waive the requirement that they notify all 40 million affected cardholders because it would have a negative impact on their stock price.


My company is very small and has fortunately not suffered any security leaks of personal/financial information thus far (knock on wood).

If I had to narrow down our two "most vulnerable" spots most likely to leak information I believe it would be the following:

  1. Google. We use Google Apps Enterprise hosted email, calendar, contacts, documents, and so forth. Don't get me wrong, these services are great and I'm a big Google fan, but all that information is still "out on the cloud" and I can only assume it's being taken care of. Very sensitive information like credit card numbers and other financial data is stored in a database on a local server, but we still have many confidential communications running through Google.

  2. Users. Need I say more?

Related

slow software raid
Apache treating files with ".var[.]" in their names as type-maps
How do you find system manufacturer/model on Linux without root access?
Samba, Apache and SVN. Getting the permissions right
Hyper V network adapter configuration on parent partition
Making an ASA TFTP backup through VPN
how to change the maximum number of connection to Oracle database?
Windows Server 2008 R2 as VPN Server
List of Sysadmin Troubleshooting "Fire Drills"
Cisco IOS: Segregating VLANS
Unable to upload file FTP
able to dig a hostname but doesn't resolve via ssh or ping