I’m all for putting hackers who break into computer systems and steal personal information in jail.
But I also think it is time to start putting inept programmers and managers of bit companies in jail, too. For the same reasons.
If a website is so poorly designed that it doesn’t meet reasonable levels of security, then the programmers should go to jail. The failure to provide even the most basic levels of testing and security should be a crime.
I have seen many, many websites where accounts are hacked simply by manually modifying a URL, often by simply changing an &Account=1234567 to a different number. This is inexcusable.
I had the unfortunate opportunity to talking with a programmer and his manager about the complete lack of security on their web site. In this case, you could access other user’s personal information by just logging into your account and then changing the account number on the URL. The system would continue to think that you were authenticated as you saw another person’s information.
Neither the programmer nor the manager was concerned by this lack of security. The programmer indicated that they had other projects that were higher priority. The manager simply dismissed the problem by saying that hacking a computer was a crime.
Home Depot recently had over 50-million accounts violated. They incurred no cost. They did nothing to protect their users. They merely sent out an apology email and went on with their business.
Yet, the facts in the Home Depot case seem to be that they had terrible security, they didn’t do the most basic of testing, and the head of security had (it is rumored) been fired from his previous job and Home Depot was afraid to fire him for fear that he might sabotage the company.
As long as failing to protect customer’s data has no cost or penalty to a company then companies won’t spend money on protecting that data.
Years ago the same thing was true for environmental laws. Individuals simply weren’t responsible if a company harmed the environment. Them, laws were changed and individuals could under some cases be held personally responsible for trashing the environment. Suddenly, companies took the environmental protection laws more seriously.
It’s time for the same thing on computers. Programmers and managers should be held personally responsible if they grossly fail to protect users private data.
The hacking of Home Depot is much less a story of diligent hackers than it is of inept programmers and managers. The TJ Max hacking was simply that the company’s WiFi had no password. Really, which is the bigger crime: accessing a WiFi network with no password or failing to put a password on a network that stores millions of credit card numbers?