LookSee data leak

Jan

Jan

Who's the Boss?
Staff member
Joined
May 24, 2010
Messages
14,773
Reaction score
13,417
Location
The Rabbit Hole
Standard Bank property tool exposed home owners' personal data

Standard Bank and Lightstone Properties have confirmed that the bank's LookSee platform exposed the personal information of property owners in South Africa.

LookSee is one of Standard Bank's home services platforms, which provides property valuations and trends. It uses information from Lightstone for valuation and market intelligence on properties in South Africa.
 
Are SA companies more vulnerable to this sort of thing? Do companies take security (especially personal information) seriously enough?
 
Twats...

So how about contacting the people whose data was compromised so you can warn them to be vigilant ffs rather than some random blanket statement.
I have no idea what data Lightstone has in relation to me, and I'm not an SB client...
 
Creag said:
Are SA companies more vulnerable to this sort of thing? Do companies take security (especially personal information) seriously enough?
Click to expand...

I would say that they pursue best IT practices, but obviously best practices are muddied by standards, not to mention the human element. However, these enterprises do tend to take security more seriously when they have been compromised. The thing with security is, that you can’t be publicly transparent about it without risking its integrity. Training, training, training, audits, audits, audits, penetration, penetration, penetration… It is a cycle.
 
Creag said:
Are SA companies more vulnerable to this sort of thing? Do companies take security (especially personal information) seriously enough?
Click to expand...
They don’t value developers enough. So they hire mediocre developers on the cheap and this is the result.
 
Fulcrum29 said:
I would say that they pursue best IT practices, but obviously best practices are muddied by standards, not to mention the human element. However, these enterprises do tend to take security more seriously when they have been compromised. The thing with security is, that you can’t be publicly transparent about it without risking its integrity. Training, training, training, audits, audits, audits, penetration, penetration, penetration… It is a cycle.
Click to expand...

You're right at some levels.

The intention is to pursue best IT Practices, and be secure and all that... but when your systems get monumentally complex and sprawling, its very easy to inadvertently have a security issue sneak in and no-one be any the wiser. Even with the best efforts of a Security Team, the hard deadlines and complexity of things will see some poor practices slip in from developers and IT engineers alike.
 
ToxicBunny said:
You're right at some levels.

The intention is to pursue best IT Practices, and be secure and all that... but when your systems get monumentally complex and sprawling, its very easy to inadvertently have a security issue sneak in and no-one be any the wiser. Even with the best efforts of a Security Team, the hard deadlines and complexity of things will see some poor practices slip in from developers and IT engineers alike.
Click to expand...

Hence, I said, it is muddied by standards. I have now been in IT since 2008, and it is rare to experience any party share the same values and standards, but it also gets blurred in the boardroom because… reasons.
 
“The personal information does not contain any banking details, cell-phone numbers or email addresses.”
Click to expand...

It only contains names, identity numbers, entity registration numbers, marital status and physical addresses which is probably worse.
Won't take much social engineering to get passwords reset using that info or to stealing identities.
 
Creag said:
Are SA companies more vulnerable to this sort of thing? Do companies take security (especially personal information) seriously enough?
Click to expand...

Getting things done at any cost > security, testing, release management etc
 
gregmcc said:
It only contains names, identity numbers, entity registration numbers, marital status and physical addresses which is probably worse.
Won't take much social engineering to get passwords reset using that info or to stealing identities.
Click to expand...

Funny thing about this, because they aren’t proactive, they are reactive, and their reaction would now be to slap their customers on the wrist reminding them about their security and how to more cautious. Happens, every time.

The question is now, how they were exposed or made vulnerable, is it a zero-day or was it preventative?
 
Fulcrum29 said:
Hence, I said, it is muddied by standards. I have now been in IT since 2008, and it is rare to experience any party share the same values and standards, but it also gets blurred in the boardroom because… reasons.
Click to expand...

I'm not even really talking "standards" here.... Just poor coding practices and such can see bad things sneak through the best testing/security measures.

**EDIT** and only 2008 in IT? Junior, junior junior... You have much to learn and many things to see that you will never be able to unsee in the years to come :P
 
South Africa simply does not have the means, the capability and the experience, education and staff to protect personal identifiable information. That is that. Simply live with it, hope the companies gets fined, government gets richer and just wait for the next breach. By the way, it is not as if all our consumer data has not leaked before. It is not as if any person's information is not in criminal hands.
 
So standard bank was down yesterday, what are the odds this incident is linked to their downtime, and if so what other compromises happened that they haven't made public yet.

ToxicBunny said:
Twats...

So how about contacting the people whose data was compromised so you can warn them to be vigilant ffs rather than some random blanket statement.
I have no idea what data Lightstone has in relation to me, and I'm not an SB client...
Click to expand...

Probably plausible deniability, in the sense that you can't prove your specific data was leaked and therefore be in a position to sue for recourse. It's a schrödinger's data leak that you have no control or leverage over.
 
Creag said:
Are SA companies more vulnerable to this sort of thing? Do companies take security (especially personal information) seriously enough?
Click to expand...
Risk & Compliance: Does it have anything to do with banking?
Stakeholders: No.
Risk & Compliance: Do as you wish.
 
rh1 said:
Then why was standard bank completely offline, if it only was at a 3rd party and info that was stolen relates to property trends?
Click to expand...

LookSee,

sU9qbCo.gif
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X