David Jones follows Kmart into 'we've been attacked' hell Australian high-falutin retailer David Jones has become the second in two days to admit to a data breach of its retail systems. DJ's statement is remarkably similar in its substance to Kmart's: like the down-market chain, DJs says “The information obtained was restricted to customer name, email address, order details and …
"The Register has contacted IBM to ask whether its WebSphere platform was the weak point in the attacks"
That's way too broad a claim to entertain until you start looking deeper. It's like saying two cars were broken into, and both had four pneumatic tyres, therefore any vehicle that has four wheels is vulnerable to a breakin.
Besides, I'm quite sure IBM, er, the tyre manufactures are just going to distance themselves anyway.
More likely that they haven't been patched recently. From the number of IBM Notifications I get and the patches released especially for Java I would think that this is more likely the reason for the breach.
The sites that I support are patched ASAP after we have done our regression testing.
WebSphere App Server can be a PITA because of the sheer number of Fixpacks. I do know of some retail sites still running a version of WebSphere commerce that is SIX years old. Needless to say, IBM won't even think of supporting them until they upgrade.
Software manufacturers should be required by international law to provide security patches and updates for their software forever? They KNOW that customers do stupid things.
Maybe software like this should just stop working if the client does NOT patch or update within a few days? Nothing like downtime throughout the Point of Sale system to get management attention.
Maybe the owners of such systems should be required to pay $10,000 (or MORE) to EACH person affected by such a breach? THAT will get their attention for sure!
That would certainly raise the visibility of the IT department from "simple overhead" to "risk avoidance".
With online shopping still a fledgling novelty in Oz, any move like that would just see the retailers shutter their online offerings.
And requiring manufacturers (in any industry) to supply free upgrades for life would see them just choose to shut up shop too.
What's needed is decent sysadmins and better CIOs.
"What's needed is decent sysadmins and better CIOs."
...and maybe ALL involved working in co-ordination to keep things ticking over safely, rather than leaving it up to the odd lowly sysadmin, or sprinkling some token security fairydust once everyone else has left gaping holes.
The ALL being marketing rushing stuff out, developers, web content people, outsourced help etc.
Interesting that DJ only announced after seeing Kmart do it 1st. Their breach was earlier. Smokescreen the bad news, they'll all forget in a few weeks
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
