Comment Re:Criminal liability ... (Score 2) 82
Their only a "victim" due to lax security. The corporation broke the law too, by not properly securing their data as required by HIPAA law. And we SHOULD accuse them partially for the success of the criminals, as they enabled them twice. Once by having crap security, and two by not even noticing for an entire year. The HIPAA law might have changed since I did audits, but your supposed to do them on a yearly basis as well. So, triple failure.
As a side note, there seems to be a marketing opportunity here for security companies to do active domain name "dyslexic" attacks. It seems it would be trivial to have a script that transposes numbers into the real URL and does a WHOIS on a scheduled basis. Really, there are probably a dozen employees at Carefirst who could do this. At my job, probably over 50% of the people I directly work with could either do this off the top of their head or figure out how to do this in a few days; and their not even programmers or such.
As a side note, there seems to be a marketing opportunity here for security companies to do active domain name "dyslexic" attacks. It seems it would be trivial to have a script that transposes numbers into the real URL and does a WHOIS on a scheduled basis. Really, there are probably a dozen employees at Carefirst who could do this. At my job, probably over 50% of the people I directly work with could either do this off the top of their head or figure out how to do this in a few days; and their not even programmers or such.