Richard Nixon taught us that the cover-up is worse than the crime. Tylenol taught us that everything is forgiven if you're willing to fess up.
So I have two questions for Network Solutions management:
- Why did you wait almost two full weeks before announcing that you suffered a data breach that affected your merchant customers?
- Did you do something different on June 9 to prevent further transactions from being affected, or did the attackers simply stop?
On July 13, 2009, we were informed by our outside forensic experts that the data being transferred may have included credit card information. The code may have captured transaction data from approximately 573,928 cardholders for certain periods this spring. Exposure varied by merchant, but in all cases took place sometime between March 12, 2009 and June 8, 2009. Transactions after June 8, 2009 were not exposed to the unauthorized code. We have notified law enforcement and are working closely with them on the investigation.Everyone understands that these kinds of issues have to be cloaked in secrecy, but Network Solutions has refused to reveal why it took so long to reveal the data loss, why there have been no further breaches since June 9, or even the identity of its "outside forensic experts." My request for comment has been ignored.
There may very well be excellent reasons for keeping so mum, but security -- both national security and Internet security -- is often used to cover up mismanagement, illicit behavior, or bungling incompetence. Customers will start asking the same questions that partners and rivals have already advanced; Amichai Shulman, CTO of security vendor Imperva, noted in an email that Network Solutions "took more than six weeks to reveal the problem to the media and customers. What have they -- and the card services companies -- been doing in the interim?"
A customer using the pseudonym DrMiaow Tweeted: "Hoping I'm not going to get a "Dear James, you should get yourself tested" email from Network Solutions.
Network Solutions owes its customers a better explanation, even if it has to be somewhat redacted to protect its vital interests. Failing this, its credibility will take a significant hit.
[Image source: Argonne National Laboratory]