×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

How Much Does a Reputation For Security Matter Anymore?

Soulskill posted more than 4 years ago | from the eh-i'm-sure-they'll-patch-it-soon dept.

Security 98

dasButcher writes "We often hear that businesses risk their corporate reputations if they don't have adequate security. It's been a common refrain among those selling security technologies: protect your data or suffer the reputational consequences. But, as Larry Walsh points out, the evidence is against this notion. Even companies that have suffered major security breaches — TJX, Hannaford, etc. — have suffered little lasting damage to their reputation. So, does this mean that reputational concerns are simply bunk?"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

98 comments

Not much, but enough (-1, Troll)

Anonymous Coward | more than 4 years ago | (#29039237)

It matters more than the length of Rob Malda's baby penis!

Re:Not much, but enough (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#29039313)

It matters more than the length of Rob Malda's baby penis!

Interesting... Why does this matter to you at all? Is he really the only man who can dominate you?

Re:Not much, but enough (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#29039463)

Shut the fuck up you fucking faggot. If you ever post under me again, I will rip your dick off and shove it down your throat.

Re:Not much, but enough (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#29039825)

Shut the fuck up you fucking faggot. If you ever post under me again, I will rip your dick off and shove it down your throat.

IOW: yes

Re:Not much, but enough (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#29039881)

I take it you'd prefer it if he was on top?

bad news is good news? (4, Interesting)

An anonymous Frank (559486) | more than 4 years ago | (#29039315)

Outside of geek circles, people might assume that if a firm has just suffered a security blunder, that they'll sure be addressing the issue seriously, and that they will make sure it doesn't happen again, as opposed to firms that haven't and presume that security is something other people need to worry about.

Don't know about repeat offenders though.

There is no "might" about it (1, Insightful)

Anonymous Coward | more than 4 years ago | (#29039403)

People want to feel safe. To that end, most people wind up playing mental games with themselves. Rather than make themselves aware of the danger (so they can make educated decisions that further their own safety) they just tell themselves stories about how governmental regulation or economic self-interest will drive these companies to provide the desired level of safety.

It isn't too different from doublethink (from the book, "1984").

It is so common, in fact, that those who refuse to engage in this practice, and instead aspire to learn what the actual state of security is and to take actions that protect themselves from danger, are given the label "paranoid."

Re:There is no "might" about it (0, Offtopic)

Dan541 (1032000) | more than 4 years ago | (#29049775)

It isn't too different from doublethink (from the book, "1984").

I would read it but it was deleted.

Re:bad news is good news? (2, Insightful)

Z00L00K (682162) | more than 4 years ago | (#29039433)

The biggest blunder a company can make is to try to hide that there has been a security breach because if they do try to hide a breach and it leaks then there may have been other breaches that aren't revealed.

Being open about breaches and the impact of the breach is not hurting a business, and it may also cause other businesses to look after their measures.

Repeated offenses may of course have an impact on the reputation.

For any laptop owners out there with sensitive data - use things like TrueCrypt. If you do then it's at least possible to claim that the data was encrypted and therefore not likely to spread.

Re:bad news is good news? (2, Interesting)

plover (150551) | more than 4 years ago | (#29044501)

The biggest blunder a company can make is to try to hide that there has been a security breach

Correction: the biggest blunder a company can make is to hide that there has been a security breach AND THEN GET CAUGHT. If they're successful at hiding it, there is no penalty at all.

This is just one form of the classic Prisoner's Dilemma [wikipedia.org] .

CD Universe died from bad reputation????? (1)

winkydink (650484) | more than 4 years ago | (#29039441)

In 2000, I think the thing that killed an online store selling CD's wasn't a bad online rep.

Think back. What was all the rage in 2000? Napster.

Re:CD Universe died from bad reputation????? (0)

Anonymous Coward | more than 4 years ago | (#29039773)

Um. Also CDnow, Amazon, etc.

Re:bad news is good news? (0, Interesting)

Anonymous Coward | more than 4 years ago | (#29039975)

Inside of geek circles, if a company had even a minor security breach back in 1946*, stubbornness and a "NEVAR FORGIVE NEVAR FORGET" mentality kicks in and persists until a few years after the geek is no longer able to interact with the world at large due to his/her hundreds of boycotts self-locking him/her out, forcing a begrudging sort of "Okay, FINE, maybe I'll trust you to ONE of my l33t aliases..." response.

*: Okay, I kid, I kid. This is only if the company makes really shiny or candy-colored junk. Otherwise, there's a far greater chance that if the company hasn't had any security breaches, the geek will assume they just hide them better and use that as "evidence" to not trust them.

Re:bad news is good news? (0)

Anonymous Coward | more than 4 years ago | (#29047065)

Security blunders can have a huge impact. It just depends on who you are, who regulates your business, and what your business is (and keep in mind that it may not really be a business).

Re:bad news is good news? (1)

artgeeq (969931) | more than 4 years ago | (#29051597)

Why not look at broader behavior? People jaywalk, drive while intoxicated or talking on their cell phones, etc. There is some popular notion of what acceptable risk is, and somehow that includes shopping at TJX stores.,

Re:bad news is good news? (1)

xmvince (959575) | more than 4 years ago | (#29068867)

"So, does this mean that reputational concerns are simply bunk?"

No, it simply means nothing is secure and if we stopped shopping from places that got hacked, there wouldn't be anywhere left to shop!

It only matters if you're affected (5, Insightful)

BadAnalogyGuy (945258) | more than 4 years ago | (#29039325)

Once your identity is stolen, it doesn't matter what precautions the leaking company took or what their reputation is.

And if your identity hasn't been stolen yet, it might be better to go with a company that has suffered an attack because they likely won't make the same mistake twice.

Reputations are just rationalizations. Real security is not measurable by reputation.

Re:It only matters if you're affected (2, Interesting)

eldavojohn (898314) | more than 4 years ago | (#29039549)

Once your identity is stolen, it doesn't matter what precautions the leaking company took or what their reputation is.

I disagree. I might not file suit against TJ Maxx if it was beyond their control to stop this from happening. If, on the other hand, poor unreasonable company policy allowed a low level employee to sell it on the black market, I would probably be interested in a class action lawsuit against the company for poor protection of privacy.

Real security is not measurable by reputation.

Unfortunately, for a lot of these things, reputation is all you have to judge. And nobody's walking down the street passing up shopping at TJ Maxx because of the credit card leak. Or selecting a retail clothing store based on their security reputation. These are discussions of problems with stores that are not in IT or a technology industry. If it's their primary job to protect my private financial data (i.e. paypal or online banking), you bet I'm going to seek action.

Re:It only matters if you're affected (1)

Maximum Prophet (716608) | more than 4 years ago | (#29050861)

And nobody's walking down the street passing up shopping at TJ Maxx because of the credit card leak.

Of course not, your liability is limited by law to $50, and most CC companies waive that. When this happens again to TJ Maxx, the CC companies are going to have a come-to-Jesus talk with the execs of TJ Maxx and if they don't shape up, they won't be able to process credit cards anymore. *That* will put them out of business, not singular Joes and Janes Q. Public not shopping there.

Re:It only matters if you're affected (1)

himself (66589) | more than 4 years ago | (#29052519)

The esteemed eldavojohn wrote, "And nobody's walking down the street passing up shopping at TJ Maxx because of the credit card leak."

I am. Bob's Store, too, and the one thing that I bought from Marshall's since then, I paid for with cash. I even told my wife not to go there any more if she's going to need a credit card: they're idiots and deserve to lose business.

Re:It only matters if you're affected (1)

timeOday (582209) | more than 4 years ago | (#29040093)

"Real security" is not measurable at all. Let's look at a relatively tiny sub-problem in the overall picture of enterprise security: which OS is the most secure? The answer is, there are a thousand variables, and even though OS's are the most accessible garden-variety software, and we all deal with them all the time, there is still no consensus even on this single website as to which is "best." Now try to scale that problem back up to a huge bank, (say you're looking at bankrate.com considering opening a new account with somebody): you have no idea which OS they use, let alone how they handle backups, who they contract with, or whether or not they even have consistent policies across a global empire made up of dozens of essentially different companies. In short, I doubt even a security professional who just spent months doing an audit on a single company could accurately predict whether they'll be the next victim of a big data breech, let alone a comparative analysis of all the options consumers have. So to expect a non-technical end-user, who can't even keep 1 PC in their home office from joining a botnet, to somehow weight this into their decision-making is totally unrealistic.

Duh (3, Insightful)

BobMcD (601576) | more than 4 years ago | (#29039333)

Look, people make mistakes. It happens. Even when those people are gathered into large groups. People also tend to forget things that aren't presently being trumpeted on the news as a "Big Deal".

Also, most folks don't like to worry about Security, and aren't too quick to criticize when others don't like it either. It is a classic PITA for the general public, without any measurable return on investment, so they're even further inclined to forgive. Only fear keeps us all in line, and people don't generally seem to criticize when the fear isn't working.

Re:Duh (2, Insightful)

Stenchwarrior (1335051) | more than 4 years ago | (#29039429)

Well, TJX's "mistake" was to use WEP instead of WPA; WEP has been a known-security hole since 2001 and yet they continued to keep using it. Maybe blatant laziness should be punished by Federal law rather than relying on the public to decide whether or not they deserve disciplinary action.

Re:Duh (1)

betterunixthanunix (980855) | more than 4 years ago | (#29040113)

It is easier and more politically expedient to lay the blame on "hackers." You know, "hackers" who can just sit down and within 5 minutes completely take over bank and government systems. Obviously, we are powerless to stop "hackers," despite all of our best efforts, so it is their fault, not the fault of a company that had extremely poor security practices. In no way can the company that decided to hook its systems up to the Internet without spending the money on serious security, or to allow a radio connection to its security critical systems without taking the time to research the implications of doing so, be held liable when someone asks that company's computers for a copy of some confidential information and the servers comply and hand over the copy.

Re:Duh (0)

Anonymous Coward | more than 4 years ago | (#29042247)

Somebody did the "hacking", and it wasn't TJ Maxx.

Poor security is not an invitation to break in.

Re:Duh (1)

Mal-2 (675116) | more than 4 years ago | (#29039507)

This depends what kind of business it is. If they're providing hardware and/or services to the geek crowd, it matters a lot. If they're selling shoes and their credit card information database gets stolen, it will probably have little (if any) lasting impact because even if people hear about it, they won't understand it and thus won't remember it. If they do remember, they'll pay cash the next time they go there, but they'll still go.

Mal-2

Re:Duh (1)

noundi (1044080) | more than 4 years ago | (#29039633)

No I think it's much simpler than that. I think it's more about the teenage mentality of "well if everybody is doing it, so should I". 15 years ago we didn't hear about security breaches daily, such as we do now, and the scarcity of these cases separated and labeled the affected few as "careless". Today there are so many reports regarding so many businesses that it has become rather blase (/. hates stress [wikipedia.org] ). What's to be "marked" about when both the business left and right to me have had similar issues? Unfortunately teens don't tend to reflect too much when taking their decisions, and of course it's a really bad angle to view it from. It shouldn't get to reputation, what about the internal complications of having your system compromised? Surely this is the biggest concern. The reputation part must come after that, after someone decides to crash something that will cost you a lot to repair, if it's even possible to repair.

Re:Duh (1)

dkleinsc (563838) | more than 4 years ago | (#29040141)

Look, people make mistakes. It happens. Especially when those people are gathered into large groups.

FTFY.

There are a bunch of reasons for that: mob mentality, political considerations, and being able to duck any responsibility for screwing up are definitely a part of that story though.

Re:Duh (1)

interploy (1387145) | more than 4 years ago | (#29040733)

And don't forget the "It'll never happen to me" mentality that most people have.

If a company really wants to ruin its reputation, it'll get caught stealing from customers. Much more of a direct impact and much more identifiable by everyone, even those not directly affected, because - let's face it - who hasn't been ripped off at one point or another?

Re:Duh (3, Interesting)

hey! (33014) | more than 4 years ago | (#29042175)

It's not so much forgiveness, I think, as resignation.

For the public, worrying about computer security is like worrying about an invisible, odorless poison gas that appears in completely random places. If they knew where the gas would strike, they'd fear those places. If the gas had an odor, they'd learn to fear it. If they knew who was responsible for creating the gas, they'd demand that outfit be shut down.

But if there's nothing they can do to protect themselves, they'll just ignore it and hope for the best.

That's what computer security is like for most people. They don't understand it, and they have good reason to suspect that the people who run the companies they deal with don't understand it. If a company gets hit with an embarrassing breach, they might reasonably conclude that its claim to have learned its lesson is just as credible as a different company's claim it hasn't been hit because it already knows better.

If you want to fix this, there are two ways, neither of them popular. The first is ore regulation of record keeping practices. The second is to establish liability of companies when information it is holding is misused.

Re:Duh (1)

plover (150551) | more than 4 years ago | (#29044619)

For the public, worrying about computer security is like worrying about an invisible, odorless poison gas that appears in completely random places. If they knew where the gas would strike, they'd fear those places. If the gas had an odor, they'd learn to fear it. If they knew who was responsible for creating the gas, they'd demand that outfit be shut down.

But if there's nothing they can do to protect themselves, they'll just ignore it and hope for the best.

You've also just described "terrorism" (little-t) and included the most practical, rational approach to coping that we humans have. Unfortunately, our politicians and news media have adopted "Terrorism(TM)" as their poster child to manipulate the voters into marching to their prescribed beat of "fear, fear, spend, spend, attack, attack, vote, vote."

I just wish your suggested fixes worked as well in that problem space.

No security available anywhere (5, Insightful)

Anonymous Coward | more than 4 years ago | (#29039347)

Essentially, no business properly secures their data. This means there are no alternatives, so there can be no repercussions from failure to enact proper security. People may moan and complain, but it isn't that they chose a company with poor security, it's that the industry just does business without security. For instance, no one will go without banking, and no bank is known for properly securing their data. Thus, clients can't create loss of profits for businesses with a poor security reputation.

Additionally, most consumers don't consider security as a main part of what they get from a service, thus not making it a major part of their decision. People don't look at banks (example) for how securely they store passwords, but instead for the interest rates provided. Again, until some start doing it right, none will be forced to.

Re:No security available anywhere (0)

Anonymous Coward | more than 4 years ago | (#29042167)

There may be no such thing as perfect security, but that doesn't mean that some banks don't do a better job than others.

Re:No security available anywhere (1)

noidentity (188756) | more than 4 years ago | (#29045421)

Essentially, no business properly secures their data. This means there are no alternatives, so there can be no repercussions from failure to enact proper security. People may moan and complain, but it isn't that they chose a company with poor security, it's that the industry just does business without security. For instance, no one will go without banking, and no bank is known for properly securing their data. Thus, clients can't create loss of profits for businesses with a poor security reputation.

Let's rewrite that a bit: "Essentially, no business sells computers. This means there are no alternatives, so there can be no repercussions from failure to offer computers for sale. People may moan and complain, but it isn't that they chose a company that doesn't sell them, it's that the industry just does business without selling any computers. For instance, no one will go without calculating finances, and no company is known for offering computers to do this. Thus, clients can't create loss of profits for businesses that don't sell computers."

The thing you're leaving out should now be clear: entrepreneurs who take advantage of untapped markets. If people really want security (i.e. are willing to pay for it), then there's a huge untapped market that some company could make profits by catering to.

Re:No security available anywhere (1)

shentino (1139071) | more than 4 years ago | (#29053673)

Maybe it's because security would also stop corporate fat cats from siphoning from the till?

Re:No security available anywhere (1)

Maximum Prophet (716608) | more than 4 years ago | (#29050925)

Barings Bank of London had poor internal security. Now they are no more. http://en.wikipedia.org/wiki/Barings_Bank [wikipedia.org]

Barings Bank (1762 to 1995) was the oldest merchant bank in London[1] until its collapse in 1995 after one of the bank's employees, Nick Leeson, lost £827 million ($1.3 billion) speculating - primarily on futures contracts.

Size matters (5, Interesting)

mcrbids (148650) | more than 4 years ago | (#29039359)

From what I can see, size matters. The impact of a security breach on the business is inversely proportional to the size of the business. Small companies, big deal. Big companies, Eh - whataya gonna do?

For me they did (1)

FranTaylor (164577) | more than 4 years ago | (#29039369)

I live very close to stores from both companies and only pay cash at them now.

Re:For me they did (no they didn't) (4, Insightful)

cblack (4342) | more than 4 years ago | (#29039435)

So then their security breach had no effect on their bottom line as far as you as a customer are concerned. In fact it could be argued that now they are making more $$ off you than before as they don't have to pay credit card transaction processing fees for your purchases.

Re:For me they did (no they didn't) (1)

u38cg (607297) | more than 4 years ago | (#29042675)

It's not that clear-cut, actually. Cash handling is expensive, although it has more of a fixed cost element than CC fees.

Poor reporting (2, Insightful)

SIGBUS (8236) | more than 4 years ago | (#29039387)

Outside of the geek world, these data breaches either go unreported or just get a passing mention between breathless coverage of $CELEBRIDEATH and breathless coverage of $REALITY_SHOW_CONTESTANT. A lot of people simply don't realize that these things are going on.

Re:Poor reporting (1)

betterunixthanunix (980855) | more than 4 years ago | (#29039961)

I think more to the point is that a lot of people place the blame on "hackers" when they hear about these blunders, rather than on companies that had poor security practices. People seem to think that a "hacker" is someone who can sit down, instantly bypass any security system, and then steal information -- and the innocent companies did everything they could to stop it from happening. Nobody has any concept of the common textbook mistakes that these companies cannot find the money to correct, or just how many times these companies have ignored the warnings of security experts because it was easy and cheaper to do so.

Re:Poor reporting (1)

squallbsr (826163) | more than 4 years ago | (#29040515)

The same thing can be said for the people who have a bot-infested XP machine sitting in their office. Instead of spending the money on AV and security, investing time into making sure they aren't stupid on the web - they just go on with life and blame the hackers.

Another thing that goes against us is the portrayal of hacking in tv shows and movies - they make it look super easy to hack into NSA systems and other HIGH-SECURITY systems that people start to believe its possible.

Lack of coverage can have another cause (0)

Anonymous Coward | more than 4 years ago | (#29045995)

TJX and Hannaford are virtually unknown among normal people. If you don't have a reputation, it's pretty damn hard to destroy it.

You have to have a reputation first (0)

Anonymous Coward | more than 4 years ago | (#29039395)

Where there's nothing to lose, there's nothing to lose.

In a word, yes. (0)

Anonymous Coward | more than 4 years ago | (#29039423)

Reputational concerns? Unless it makes it into the news, (in which case, we apologize and are working for a solution) you didn't hear about it.

Unless the lawsuit causes multi-million dollar losses, the price to update antiquated systems and clean things up is greater, and nothing will change.

People are all too happy to continue buying products without a second glance. If there's no blacklash, no sales dip, why would TJMAX care?

It's the evil of convenience... much the same problem with the credit card itself.

Corporations and reputations (2, Interesting)

homer_s (799572) | more than 4 years ago | (#29039477)

Here [econlib.org] is an interesting piece about corporations and their incentives to protect their reputations.

It is not about IT (it is about insurance companies in Nazi Germany), but provides a very good insight nonetheless.

Depends what industry (2, Interesting)

mewsenews (251487) | more than 4 years ago | (#29039497)

If you're a relatively mundane manufacturing company and you leak customer data -- who cares?

If you're a Visual Effects studio and you leak shots from a major new film, "sonny, you ain't gonna work in this town again".

Re:Depends what industry (0)

Anonymous Coward | more than 4 years ago | (#29039819)

This is absolutely true for a very specific reason. Banks make their profit from money, not the non/secured data (passwords, etc.). Film studios make their profit FROM the non/secured data (the film, or clips thereof). Each protects what their business is, which is to say what they profit from.

The concern in the banking scenario is that the non/secured data that is a concern is data ancillary to their main business. Or at least, it is just ancillary enough to not need to be a main focus. A film studio can't sell you a film you've already been given. A bank can still invest your savings (and return some interest to you) even when your password (etc.) has been stolen.

Re:Depends what industry (1)

Col. Panic (90528) | more than 4 years ago | (#29039883)

if you are a bank and your database of credit card number was compromised, your customers might think twice before opening any new accounts with your. or continuing their current one/s

Re:Depends what industry (1)

Grizzled Old Scout (1248100) | more than 4 years ago | (#29041405)

But the point of TFA is that there is little evidence (from the author's viewpoint; it doesn't appear as if this has been rigorously studied) that this is true. It seems like business which suffer breaches do not see a corresponding loss of customers or revenue. I'd bet that this is true.

Reputation means very little; Response means a lot (1)

wbren (682133) | more than 4 years ago | (#29039581)

Remember, the company you see on the news regarding their first ever data breach had a sterling security reputation... until it didn't.

I expect companies I do business with to do everything possible (within reason) to prevent breaches, but I also accept the fact that breaches are inevitable.

Be upfront and honest with me about it. Make sure it doesn't happen again. Repair any damage that was done. Do those things, and you'll have my business.

Re:Reputation means very little; Response means a (1)

BlueKitties (1541613) | more than 4 years ago | (#29039759)

*slap* Reputation comes from good response. If I have bad response, I will probably end up with bad reputation. Reputation is a collective social standing brought about from overall performance.

Re:Reputation means very little; Response means a (1)

wbren (682133) | more than 4 years ago | (#29039903)

TFA links a company's security reputation to whether or not a breach occurred in the first place, not how the company responded to the breach.

There is a subtle difference between a reputation for having no security breaches and a reputation for responding well to security breaches.

I am claiming the former is not as important as the latter.

Re:Reputation means very little; Response means a (1)

BlueKitties (1541613) | more than 4 years ago | (#29040001)

Oh, well if you're taking that definition of security reputation, I fully agree; My mistake.

Not in Finance (1)

Foofoobar (318279) | more than 4 years ago | (#29039619)

Banks, Hedge funds, Insurance companies and anyone dealing with money ... this is a real and valid concern because not only are stock holders and nvestors watching your every move but the Feds are as well and you get audited regularly to see that you are in compliance with a variety of guidelines.

Failure to meet, match or getting caught with your pants down on security can mean clients will not sign up with you due to your ranking or lack of credentials.

Re:Not in Finance (1)

squallbsr (826163) | more than 4 years ago | (#29040577)

Dealing with regulations for the banking industry: There is a requirement that SSNs are encrypted, unfortunately under the regulation, ROT-13 would pass under the definition of encryption under the regulation.

TJX breach didn't matter. (2)

MaerD (954222) | more than 4 years ago | (#29039727)

The TJX breach didn't matter to the vast majority of TJX customers.
Most didn't hear of it, and those that did went "Oh, it was only X store and I wasn't affected"

Look at the TJ Maxx stores, they are a low end bargin retail chain, most of their business probably isn't even done with credit cards. Even those customers that were affected probably disputed the charges and moved on, without understand how crappy the security was. Most customers probably bought the "oh my, we're sorry this happened, we'll make sure it doesn't happen again" line, even though anyone with sense could point out how BAD the security hole was and that the shocking thing wasn't that it happened, but that it hadn't been going on for years (that we know of).



Let's be honest.. how many of us shopped there before? How many of us will not shop there again ever? How many will just not use a credit card at TJX stores?

Now if this were an online retailer where people think a bit more about "Hrm, where am I giving my credit card number?" A breach like this would mean more to the customers.

Reputation doesn't matter in some industries (2, Insightful)

Anonymous Coward | more than 4 years ago | (#29039743)

A credit card transaction processing company, Heartland Payment Systems, suffered a serious data breach [2008breach.com] in 2008. My credit card information was compromised. Unfortunately, there is nothing I can do about the situation, other than get a new card.

I called Heartland. They told me they were implementing end-to-end encryption (I don't understand how such a company could possibly not already be using extensive encryption). I asked them for a list of the companies that process transactions through Heartland so I could avoid those businesses. No such list is available -- precisely because it could damage the reputation of these businesses.

Heartland doesn't care, and there is no reason they ought to. This is why they didn't already encrypt my data. As far as I can tell, there is absolutely nothing I can do as an American consumer to discourage this type of corporate behavior from this industry in the future.

The people truly holding the reins in situations like these are the investors. What we need are investors who respond to ethical news as rapidly as they respond to financial news. But investors seem to like news of unethical behavior and corner-cutting, because it implies the firm will do anything to cut costs and maximize profits. The truly greedy people aren't the CEOs and the suits, it's the multi billion dollar pension funds and investors who want only to grow their money at the expense of everything good.

Re:Reputation doesn't matter in some industries (1)

idiotnot (302133) | more than 4 years ago | (#29040555)

If I had modpoints, you'd get one, AC. The Heartland breach kinda makes TJX look minor, and many people who might have been affected would never know.

Shame TFA didn't mention this, because it's a much more serious vulnerability than one large retail chain, precisely because the customers don't know about it.

But to answer the question posed, I think I might be more likely to shop at a chain that's been compromised. Not right when the story is breaking, mind you, but several months later, certainly. If they've had a compromise, the risk of a second compromise and the ensuing damage from it, is a far greater financial risk than a one-time charge to fix any problems that led to the first compromise (as well as anything new that's found during the review).

Same applies to air travel. I know I'll feel a lot more confident flying an an A330/340 after the Air France crash, once the upgraded airspeed sensors are installed fleet-wide. Same deal with the FAA's complete grounding-for-wire-inspection of the DC-9/MD-{8X/9X}/B-717 fiasco from early last year.

If I had a reason to go to a TJX store, I wouldn't hesitate to do so. (And, yes, I did check my Amex statements after the news came out, and I realized I'd bought some luggage at TJ-Maxx around the time of the breach)

Re:Reputation doesn't matter in some industries (0)

Anonymous Coward | more than 4 years ago | (#29041995)

How do we know that they are doing the encryption now.
I worked as a consultant a few years ago building a business portal. At that time there was major concern about the storage of peoples information.
Lately there hasn't been that much concern and one customer even wanted to reduce the cost by getting rid of the encryption buffer and firewall for handling data. There reasoning was that MS would be liable if the system was penetrated. They weren't concerned about loss of information, but where there financial liability would end.

There was also a big difference in the business models. In the first, a number of the customers would be what you would call power players. I scanned through there customer list and 20 or 30 names were people I recognized from business, government and entertainment. In the second instance it was John Q Public at risk. So that may have been a bigger part of the difference.

Not at all (1)

Opportunist (166417) | more than 4 years ago | (#29039789)

It's insanely hard to sell security with the reputation angle. Why? Because neither companies nor customers give a rat's fuzzy bottom about it. Did you hear of anyone who canceled their account with a bank after said bank lost customer data by the gigabyte? Nah. Why? After all, now they fired that idiot that lost their data and now they're safe again. They said it themselves!

(if people actually heard about it, that is)

You sell security with the liability angle. If, and only if, there are some sizable fines tacked to the loss of private customer data, companies will probably, maybe, eventually start to listen. But only if they can't find an insurance company that covers that problem more cheaply.

In the long term, it's irrelevant. (1)

xdroop (4039) | more than 4 years ago | (#29039809)

In the long run, nobody cares. Initially everyone cares because there's a big negative blow-up in the press, the stock takes a beating, and everyone spins their heads off. Then the quarter ends, the media loses interest, the stock comes back, and it's business as usual. And the real potential losers, the customers, never cared at all, they just want their latest fashions. The six people who might care do their shopping elsewhere, but they're statistically irrelevant. Now if you'll excuse me, I'm off to see what's shiny and new at Fry's.

Two kinds of reputation (1)

gurps_npc (621217) | more than 4 years ago | (#29039827)

There is a reputation for being bad and a reputation for being good.

Having a reputation for being bad doesn't mean much anymore because so many people have screwed up. But a reputation for being good is worth it's weight in gold.

If I told you about how horrible my credit card company treated me, would you care? No, because you expect all credit card companies to suck. But if I told you they were fantastic, did a great job dealing with an Identify theft case, then you might want to know about it.

The Government Will Save Us (1)

Aladrin (926209) | more than 4 years ago | (#29039849)

We've been trained all our lives that the Government will step in and save us. Is it any wonder that people no longer bother to research things before they put their money in them?

I research dang near everything I buy, right down to my toaster-oven. Because I do so much research, I know how to read the information out there, and it has been a -long- time since I bought something that was crap. (Except some toys I bought on impulse without researching!) Most people can't be bothered, so they pay the price eventually.

But between getting away with being lazy and thinking the government will protect them, what motive do they really have to make wise decisions in the first place?

Lack of large-scale consequences (2, Interesting)

JoeD (12073) | more than 4 years ago | (#29039875)

It's because so far, there haven't been any large-scale consequences resulting from the widely-publicized breaches.

Sure, a bunch of people's info got released, and some of those people had serious identity-theft issues resulting from it, but most of the people affected got new credit card numbers and moved on.

When there's a data breach that results in a bank going belly-up, or major stock fraud, or large loss of life, then a reputation for security might start to matter.

Of course it doesn't matter. (1)

ak3ldama (554026) | more than 4 years ago | (#29039879)

Government agencies lose secure/private data all the time, and we respect still them.

Re:Of course it doesn't matter. (0)

Anonymous Coward | more than 4 years ago | (#29043283)

Who respects government agencies?

Ask ChoicePoint if this is No Big Deal (1)

thepainguy (1436453) | more than 4 years ago | (#29039967)

They had a major problem a few years ago, where due to some poor sales policies they gave bad guys access to tons of SSNs. That led to pushes on Capitol Hill for major changes in how all personal data providers do business, and in particular how they handle SSNs.

That had a non-trivial impact on a bunch of companies, including one I worked for. It caused us to spend a lot of time and money checking to see if we had a similar vulnerability (because our business was very SSN driven).

A difficult problem (1)

rjhubs (929158) | more than 4 years ago | (#29040007)

The issue is that there is little incentive to take proper precautions in protecting personal data. Yes, reputation might affect customer decisions a little, but the problem is so broad what are you going to do.. change your bank? I had a former employer send me a letter once that my personal data may have been exposed as they moved office buildings, what option did I have then? The only real answer I can think of is to have some legislation that penalizes a company if such a breach of personal data occurs. Of course that may provide the incentive for companies to just not report when such a breach occurs, which would probably be worse for the consumer.

a requirement (1)

Lord Ender (156273) | more than 4 years ago | (#29040025)

Many potential customers won't to business with you if you don't pass security audits. There's one major reason why having some security pays off.

The other reason, of course, is breach notification. It is very expensive to tell one million people you left their billing info on an anonymous FTP server.

Re:a requirement (1)

Arimus (198136) | more than 4 years ago | (#29043879)

What? How many Walmart customers do you know who do a full security audit (both physical and IT infrastructure) before shopping there?

We're talking about b2c as customers here not b2b... so most Joe Public customer's are not going to do security audits before shopping somewhere.

What's the correlation? (1)

webagogue (806350) | more than 4 years ago | (#29040107)

We're talking fear of identity theft with these kinds of lapses/buffoonery, yeah? Are there identified spikes in identity theft over a period following these incidents? Are there any numbers?

Factors (1)

natehoy (1608657) | more than 4 years ago | (#29040117)

A lot of the impact depends on how important that company is to your daily life. When Hannaford got breached, well, here in Maine there are basically three major food chains. Wally World sells truly awful produce but has decent prices. Shaws sells really good quality stuff but tends to charge a bit more. Hannaford is the "happy medium" for most folks. Then, of course, there are the mom-and-pops and smaller chains who have their loyal following, and that's great too. But a lot of folks went to Hannaford before the breach, and a lot of us do after the breach too. I even use my re-issued Discover card there (had to be reissued because it was on the "suspect" list, even though I fortunately never saw any suspicious activity on the card).

So if Hannaford got breached, so what? Their response was pretty good and they made amends to those affected. Family's still gotta eat. If they are the closest grocer, and/or the one you prefer, will you change your habits over that? A lot did at first, and I'm sure some still do, but the parking lot's still busy.

Now, if this was a high-end luxury item retailer, they'd probably be toast. If they sell something people don't actually need for their daily lives, a temporary boycott of a company like that can quickly turn into a "you know, I really never needed any of that stuff" permanent change. If you're holding on to your customers by anything but their basic needs (food, inexpensive clothing, shelter) then you never want to give your loyal customer base an excuse to try the competition.

It depends on the customers view of the company (1)

haus (129916) | more than 4 years ago | (#29040261)

TJX is not a company that any one expects much out of from the standpoint of security. While it would be nice if they were not idiots, but they were and it is unlikely that anyone who has done business with them would be surprised.

If a company where to have a solid reputation for security, and have a large chunk of their revenue based on security offerings and where then to be discovered to not only have been exploited, but to have been exploited because they failed to make even a reasonable effort to protect themselves then there would likely be a reputationional impact that could hurt/kill the company.

Look at the Cyber Security Industry (1)

lib3rtarian (1050840) | more than 4 years ago | (#29040431)

[disclaimer, I work in cyber security] Look at Matasano.com, John Bambanek, or Kevin Mitnick, they are all famous security researchers or companies. And all of them have been very publicly hacked in the past. None of them even speak about being publicly defaced and hacked, but all you have to do is read ZF0 and boom, evidence. Matasano's website still isn't even back up, and they charge inordinate amounts to profess to be security experts. I'm sure the big bucks are still rolling in for all of them, even though they can't even keep their own houses in order. Security reputation should matter, the same way reputation should matter. If you can't trust someones word, what can you trust from them? I'm speaking exclusively about the security industry in my comments. I personally still shop (using plastic) at TJX because their prices are very low. I wouldn't go to them for a PCI audit though, that's for sure.

No 9-11. Yet. (5, Insightful)

Hasai (131313) | more than 4 years ago | (#29040499)

The problem is there hasn't been the digital equivalent of a 9-11 yet. Once someone breaks into one of the major banks and zeroes the accounts of several million Americans, then you'll see a reaction. Too late. As usual.

Re:No 9-11. Yet. (5, Interesting)

AdmiralXyz (1378985) | more than 4 years ago | (#29041511)

Your statement actually has rather terrifying implications, since after 9/11 we saw a rush of hysterics that created a) illusory security practices like the nonsense we have to put up with at airports and b) several wars in the Middle East that have done anything but make us more safe. I can't help but think that when (not if) there is a break-in like you describe, the government is going to start keeping track of everyone who downloads nmap, etc.

Re:No 9-11. Yet. (0)

Anonymous Coward | more than 4 years ago | (#29045005)

We're already tracking, Bob. By the way, Sally will be late tonight. She's going out with Betty from Accounting again.

lol (0)

Anonymous Coward | more than 4 years ago | (#29040979)

the stores are secured by security guards to keep . Just the credit card machines arent, which really isnt a retail store department. id say its more of a bank problem unless multiple incidents of cashier thievery occurs then its more of the credit card machines.

Have a bank do that with information, and more than likely I would switch banks.
 

Not what it means at all (1)

kheldan (1460303) | more than 4 years ago | (#29041043)

What it means is that the average person doesn't have any idea what "data security" is all about, not even when they read news stories about breaches in data security. The only time any of it gets through their heads is when their identity has been stolen and their lives are ruined because of it.

The bank is always right (1)

plopez (54068) | more than 4 years ago | (#29041205)

And if the bank is wrong, it is still right.

Banks have *very* little liability. Many of the breaches have had to due with credit cards issued by, guess who? Banks. So who cares. The onus is on the card holders. The only rights a card holder has is in the creditors rights laws which do not cover identity theft.

So the bank can walk away from any civil liability in the case of identity theft. And just dare to try to impose liability. The banks will scream "We're too important to the economy! We'll stop lending! We'll stop buying government bonds!" They'll put a gun to our heads.

Remind me again why I should be happy to bail them out.

Re:The bank is always right (0)

Anonymous Coward | more than 4 years ago | (#29042829)

Because they support/pay your congressman?
Feel better now?

only accountants place value on intangibles (1)

petes_PoV (912422) | more than 4 years ago | (#29041567)

for everyone else, if you can't measure it, it's worthless.

Whether it's "goodwill", "reputation", "contacts" or whatever. Yo often see these so-called assets listed when a business is up for sale. However no-one has ever found a way to measure the amount of any of these things that a company claims to have - klet alone being able to place an objective value on it. All these attributes are pretty much meaningless - either to customers or shareholders. The only thing that matters is price. Take low-cost airlines as an example. They (mostly) have a terrible reputation for service, attitude, courtesy and any sort of customer satisfaction. However by being a penny cheaper than the competition, they can always fill their planes and make a profit.

It can happen to anyone (1)

bytesex (112972) | more than 4 years ago | (#29041791)

It's the general feeling, even among professionals, that security breaches are arbitrary. That, for every laptop with unencrypted harddrives and/or data left in the train, there is a remote root hole on the securest system that defies explanation because it was never thought of before.

Change the dynamic (0)

Anonymous Coward | more than 4 years ago | (#29041859)

Companies care about reputations only when it affects the bottom line (even TjMax suffered little compared to their gross). And with consumers facing little liability when credit card leaks happen they are unlikely to change where they shop. For security to suddenly matter you'd need something like

- companies start caring before the breach (e.g. credit card companies start charging a lot much higher processing fees to insecure businesses)
- a few hard luck stories on the 10-clock news ... unemployed mother of 4 faces everything due to identity theft at store

Choice is almost as good. (1)

bcrowell (177657) | more than 4 years ago | (#29041931)

It would be great if companies with sloppy security practices would be punished severely, go out of business, have all their executives waterboarded and sent to Guantanamo, etc. But the next best thing is if I, as an individual, have a meaningful opportunity for choice. I switched from Ameritrade to Scottrade because I, like many other people, was getting pump-and-dump spam sent to the email address that I used only with Ameritrade. (For years they claimed it was dictionary attacks, even though I and many others explained to them why that wasn't a plausible explanation of the data. They finally admitted to a security breach after years of such stonewalling.) Another good example is that I use Linux rather than Windows. You can also go to optoutprescreen.com and opt out of unsolicited credit card offers, and that's actually a win-win; you're happy because of the better security, and they're happy because they keep you as a customer and don't get the expense of sending you offers that you're not going to read. And of course, you can take the opportunity to let companies know why you're making these choices. E.g., when I closed my Ameritrade account, I told them why.

No, I'm not under the illusion that Ameritrade, Microsoft, or Mastercard are shaking in their boots. These companies all basically made economic decisions that some other benefit was more important to them than taking their customers' security seriously. But that doesn't change the fact that my choices improved my own security.

SHA-1 is cracked! (1)

Coolhand2120 (1001761) | more than 4 years ago | (#29041991)

It seems that everyone is ignoring the 800lb gorilla in the room.

http://it.slashdot.org/article.pl?sid=05/02/19/1424201&tid=93&tid=172&tid=218 [slashdot.org]

My theory is that security experts (and novices like myself) feel totally... betrayed, flummoxed, frustrated, whatever, that we are still using security algorithms that have been compromised. I know you need a supercomputer to crack SHA-1, however last I checked there are quite a few of those, and you can basically make a mini-supercomputer with a dozen or so quad core computers or even a few PS3's. Not to mention all the other various "in the wild" security vulnerabilities that people don't care to fix.

Here's another HUGE problem that's being glossed over: SPAM. All you need to do in some cases is turn on an email client to be compromised because some jerk didn't feel like fixing that buffer issue in their handling of GIF images, and you didn't even know it was an issue because the manufacture was keeping the vulnerability a secret, and what would you do about it anyway? "Sorry Dan, you can't turn on your email client until this vulnerability is patched". That shit is just not in the cards. What do you do? Ignore the problem? So many security issues read EXACTLY like this. Eventually you have to say "Sorry we can't fix it, and you can't stop working so let's just pretend there is no problem."

This huge unspoken problem is gnawing away at my subconscious when I try and tighten security. In the back of your head there's a little FreeBSD daemon saying "Hey, it really doesn't matter if you update that port, the Chinese can crack it anyway." Or "What's it matter? There is some vulnerability that you are not privy to that is going to take the whole system down, so why mess with patching?" Of course you try and ignore the voice and patch anyway. However, that does not make the voice go away.

And maybe that time I did update it, but maybe next time I'll say "what's it matter, it's been compromised and nobody is interested in fixing it, I certainly can't fix it. So why should I care?". I think the attitude trickles down from the IT Sec. guys into the regular IT guys and then into the non IT guys until everyone has this cavalier attitude about security: "No matter how hard I try someone will always be able to break in, so fuck it. "

stopped shopping (1)

squoke (1447831) | more than 4 years ago | (#29042271)

I, myself, have stopped shopping at TJX stores since the breach and I will not shop there again.

It's about Business, not Security (1)

photonrider (571060) | more than 4 years ago | (#29042797)

There was a story quite awhile back comparing two companies who suffered judgments in court. One company had followed all the rules and provided the archived emails/documents the prosecution wanted. They were found guilty and fined $200 million. The other company had no document retention policy, no archived emails and could not produce anything the prosecution wanted. They were scolded and fined $20 million. Which was the best business decision with regard to document retention policies? Not a perfect example nor applicable in all situations but it illustrates the business decision. This is a similar business issue. Do you spend a lot of money and man power on security? Or since the public memory is so short and the leading edge of the wave is well past it becomes just another page 5 story for most occurences. Just the few biggies make the front page and that is soon forgotten as well. When the business says the amount of attention and impact a breach would receive is small compared to the cost to protect against it, the game is pretty much over, move along. If it doesn't contribute to or protect the bottom line in a fairly direct fashion 99% of the time it won't get done. The other 1% of the time it's a law or regulation of some sort that forces action.

Re:It's about Business, not Security (1)

Maximum Prophet (716608) | more than 4 years ago | (#29050993)

The other company had no document retention policy, no archived emails and could not produce anything the prosecution wanted. They were scolded and fined $20 million.

And if they had a document retention policy that said "We don't keep anything, we burn it before we read it", they would have escaped the $20 million fine. (:-)

Can't loose reputation if you don't have any ... (0)

Anonymous Coward | more than 4 years ago | (#29049531)

Looking at the frequency of data breaches in the recent times, I do not trust anyone to be competent in that area anymore. To me, all the big companies have no idea of how they are actually handling all the data and therefore have lost their reputation already!

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...