[roadkillon101]

This is an example of the "tail wagging the dog". Whether a "State Sponsored" organization hacked IBM or someone in their mothers garage, IBM and other companies ARE responsible for keeping their customers data safe. While it's true a state sponsored entity would have more resources than a kid in a basement, IBM has the resources to pay for full time IT security professionals and for the amount of money they charge for their products and services, they should have more than enough resources to pay for decent 3rd party Security products and services. They KNOW they have a target on their back, it's their responsibility.

[viraptor]

> While it's true a state sponsored entity would have more resources than a kid in a basement

In this case, according to the indictment, it was a few spearphishing emails with .docs attached, followed by keylogger and other malware installation. The companies should be held responsible for being silly in this case.

[ggggtez]

It's a bit silly, sure, but just because they got breached in this phishing attack, doesn't mean they didn't resist other attacks successfully.

Personally, yeah companies need to be held to a higher standard against hackers, but if we're going to be realistic, we only expect they could do it because it's IBM and they have a lot of money. What about all the other companies? Rhetorically, what are we going to do about this issue? There's been decades of fairly basic confidence schemes and "hacks" and all the corporate training in the world isn't making a dent in people trusting strangers and running malicious files.

[viraptor]

I have some strong views here. 1. These are cons more than hacks as you wrote. I believe the protection doesn't exist only because there's no real risk. What would happen if some employee got conned to send out company money. Why isn't the same response applied to obtained information? 2. Principle of least privilege + monitoring. Those companies should know almost immediately about the break-ins. Even if the training fails, there are mechanisms to stop this.

I'm starting to believe that at some point we should start fining people for lack of protection.

[qaq]

I doubt you can get to a state that will make your company unhackable. You can get to a state when you are able to discover a breach and remediate relatively quickly.

[roadkillon101]

True, nothing is "unhackable" and it reminded me of Oracles corporations challenge about 10 years ago... they placed a billboards and marketed that they had an "Unbreakable" system...within hours they were "hacked" after doing this announcement. What these companies can do is change their premise for guarding their customers information. Instead of putting a singular firewall around their information system, they "compartmentalize" their customers info so they may get one or two customers info not hundreds or thousands at a time. Further, the critical info of each customer can be further "compartmentalized" to make the information difficult to access. This is how they approach Cardholder Information Security Program (CISP) with cardholder data. This approach ASSUMES the information at some point will be compromised, so with this assumption, when there is a breach, the damage will be limited not massive as it was the case with IBM and the other companies involved. They could have done something like that, however based on the media play they are doing now, I'm guessing there are hundreds if not thousands of companies involved.

[qaq]

I agree a lot more can be done but if you look at how advanced some of the state level groups (like APT-29) are if you are truly a target it's tough even if you follow all the best practices.

[perfmode]

Aren't HPE and IBM precisely the types of companies that states turn to for IT infrastructure?

[sdinsn]

That's a bit of a silly thing to say. It's known that state actors can break 128-bit encryption, perhaps even 256-bit is not secure.