"The POS is a MS Windows system, but it only runs the POS application"
Now substitute Piece of Shit for the abbreviation. FTFY
Supervalu, one of the biggest supermarket chains in the US, is warning customers who shopped with them between June 22 and July 17 to check their bank statements, after investigators discovered hackers have been at work. "The safety of our customers' personal information is a top priority for us," said CEO Sam Duncan. "The …
"This is another example of an incompetent retail CEO incapable of providing leadership and process to secure their organization. Just as the CEO must manage his staff and assets, the CEO is responsible for protecting the security of his network and his customers," said Philip Lieberman, president of security firm Lieberman Software.
Haven't read the background (only what's in the article) but had to re-read this block because the tone is pretty harsh from the get-go.
Don't get me wrong, I agree that holding the CEO ultimately responsible is potentially a good way to get companies to start paying proper attention to security, but I'm not sure firing him's the best way forward (unless there's some additional background I've missed, or you simply want to make an example so that other CEO's perk up).
Some unpleasant consequences, but retention of the job (this time) would surely be the better way forward. If you're going to teach an someone a lesson, it's generally better for the business if you continue to employ them afterwards, than to kick them out and then ultimately replace them with someone who hasn't learnt that lesson first hand (though obviously it depends what they did wrong).
Maybe I'm just feeling overgenerous this morning?
If card processing was integrated into the POS software - and the malware was able to intercept the card data - then surely the supplier of the POS software is liable?
I was under the impression that cardholder information was supposed to be encrypted, PCI DSS compliant, and all that jazz?
one of my customers .....runs a little shop with a rented pos windows box. on the first visit about 8 months ago i was there, and i remarked on the fact it was running xp, IE6 and had avira free anti virus on it. user account was running as an admin.
told her to get hold of them and demand an upgrade.
she did so, and they replaced it with....another xp box (which i only found out about about 3 weeks ago - i dont see her very often). she told me that they had said that it was perfectly secure because it was "running through the windows 7 server" which it isnt, and even if it was its directly connected to her internet connection anyway. their staff browse on it for crying out loud. they just spun her a line of BS.
i sent her an email explaining why this was completely unacceptable, and suggested she forward it on to them. they are replacing the till tomorrow.
the old dear who runs the shop has no idea at all about computers, and can only trust what her POS supplier is telling her. they clearly dont give a monkeys about security. i wonder what the pci-dss guys would make of the fact that she is accepting cards on this kind of setup? im amazed they havent stepped in - i have to do compliance once a year for my card acceptance. maybe the POS guys do it for her, in which case, why havent they stepped in> the only answer is that the POS guys are lying to them. its pretty piss poor and im sure that this is not the only example of this kind of thing.
Whilst I would encourage people to get off XP-based systems as soon as they can the XP-based POS system do "enjoy" longer support from M$:
Windows Embedded for Point of Service V1 - extended support ends April 2016
Windows Embedded POSReady 2009 - extended support ends April 2019
That dull thwack you hear is retailers booting upgrades into the long grass.
I may be wrong, but Supervalu in the US and Supervalu in Ireland are two completely different entities. The loyalty card breach last year happened to the brand SuperValu which is owned by Musgrave group in Ireland - and if I recall it was a malicious breach with the loyalty card company as opposed to the retailer.
"As in the Target case, the board should fire both the CEO and the senior IT management that allowed this to occur for gross negligence. Technology and processes exist to eliminate this class of problem, but the CEO chose not to or could not implement them due to lack of knowledge or will."
You forgot the real reason: "Security costs money, and that comes out of my bonus."
Biting the hand that feeds IT © 1998–2019