Security???

"They breached the security of the database without authorization"

What bloody security?

As to the CEO's statement "..website was recently audited for security by penetration testers from SecurityMetrics and Adhost", firstly, is Adhost a security expert company? (dunno about the other), but then she fails to give the results of the audits. Might have been damning. McKinnon would've been a better choice of 'penetration tester'.

IANAL, natch, but they haven't got a leg to stand on, as far as I can see. As far as PR goes, a lawsuit would be a disaster for SecurityMetrics and Adhost. Maybe they'll counter-sue.

The CEO is an attorney

Elaine Morley is an attorney. I don't know what she hopes to get out of it. She should be smarter and not waste money on these lawsuits. We may not have noticed anything but now that there is publicity she will have egg on her face and I doubt very many companies and gov organizations will want to deal with Lookout Services. The company does I9 verifications, for heaven's sake. That means it has/processes records of a HUGE number of employees. I can bet larger organizations have already crossed Lookout Services from their list for next year's renewal.

As they say, everything comes from the top. MS could have cared less about security till gov organizations decided to twist its arm. Then Bill Gates and Steve Balmer ordered security as the top priority and drove it down to the line engineers.

Lookout Services taking a stand against whistleblowers implies that Lookout Services is going to litigate out of the mess. Fine. It is tainted now.

"Tell us what you saw and how you did it"

http://www.minnpost.com/client_files/pdfs/MPR-demand-letter-FINAL.pdf

This seems to admit that the company concerned don't know what has been accessed nor how this was achieved - I can't believe they would want to acknowledge how little they know. AFAIK, all the individuals whose personal data has been exposed must be informed of the breach(es). I wonder how many of them might sue, given that the CEO acknowledged that they "screwed up by caching credentials on several web pages".

This could backfire nicely...

The news person should get a class action with the 500 people and sue the morons for the information leaking out (sure in the US there bound to be a case for distress and trauma).

They should prosecute themselves

By creating the insecure system that allowed the reporter to obtain access to the insecure accounts, the company has AIDED AND ABETTED any so-called crime.

Thus, the fault is entirely with the company.

Never shoot the messenger. In doing so, you only draw yet more attention to your own INCOMPETENCE.

So...

Someone finds a substantial hole in their security and instead of fixing the problem and keeping quiet, they launch into a bunch of yelling and posturing... Interesting tactic for keeping your company name from receiving bad publicity. I don't think it is working.

Sued for rattling doors

So, someone was walking down the street rattling doors on storefronts, and found one that had been left unlocked, though there was a "authorized personnel only" sign on it, there was no guard.

She told the company and a few people who have an interest in the company that the door was being left unlocked, then wrote a story about it.

So the company sues her for telling the world that they don't have their door locked? Brilliant business tactics, that.

Oh, and from personal experience, website testing is usually totally automated. All they do is to scan for open ports and what version of various software you have installed, and report potential vulnerabilities. They don't check for bad programming on your site; you could have any number of vulnerabilities in your own website code, they'll never find it. You need a human with some knowledge to take a peek to discover those problems.