When intruders last year gained access to 3.7 million credit card numbers in its customer database, Internet retailer Egghead.com took immediate steps against extortion. The Menlo Park, Calif.-based company issued a press release to signal it wouldn't be cowed into silence, reviewed its security procedures and called in law enforcement authorities.
Unlike a previous incident when a cracker stole 300,000 credit card numbers and tried to extort US$100,000 from CD Universe Inc., an online retailer in Wallingford, Conn., Egghead said it didn't receive blackmail threats. But the company's swift and strategic response to the security breach paid off with customers, including Ryan Russell, IT manager at SecurityFocus.com in San Mateo, Calif. "It's not that big a deal," he says. "If [Egghead] had been trying to cover it up so it would not lose market share, it would have been much worse. I, as a consumer, am much more willing to forgive an honest mistake than a coverup."
Russell, whose company runs the well-known BugTraq mailing list that posts security bugs, says companies tempted to negotiate with blackmailers are usually most concerned about losing credibility and receiving negative publicity.
But negotiating is a bad idea for several reasons, he says. First, victims can't trust the victimizers with whom they are attempting to negotiate. Second, companies can't trust that an extortionist hasn't passed on stolen information. And finally, companies that have credit card data stolen are obliged to report the theft to the credit card companies, which in turn will cancel the cards and immediately notify users.
Richard Stiennon, an analyst at Gartner Group Inc. in Stamford, Conn., says extortion attempts would decline if companies refused to cooperate with would-be blackmailers and instead seized the opportunity to spin the story their way. Microsoft Corp. did that last year when an intruder potentially accessed source code for its upcoming operating system release. Microsoft first reported that a cracker had been inside its machines for months but later claimed that the intruder had never accessed the actual product code.
By spinning the story, "you're able to demonstrate to customers and shareholders that not only did you have good security before, but you can respond quickly and plug holes as they occur," says Stiennon.
People who ferret out security holes in commercial software have also been accused of blackmail. But Russell says there's a vast difference between blackmail and disclosure. Blackmail implies financial gain on the part of the blackmailer, he notes, but the only reward for publishing bugs is recognition.
Russell says the harsh light of publicity used to be the only way to get many vendors to plug known security holes. But now, most software companies are more responsive to bug reports. And most bug hunters now give companies at least several weeks to fix a bug before they make flaws public.
Says Russell, "It's getting to the point where the recognition you get if you don't give vendors enough notice is more negative than positive."