Tis the season for lists upon lists upon lists. However, Fortune’s “101 Dumbest Moments in Business” for 2007 caught my eye for being rather unique-sounding. There were *MANY* dumb information security and privacy business moments in 2007; I wondered, did Fortune recognize any of them?
I took the time to flip through them quickly…ah, yes! Quite a fun exercise! And here at least 18 IT compliance, info sec and/or privacy links to the Fortune 101 list:
1) “10. Electronic voting machines: Election officials in Florida promptly order 5,000 units: Diebold tightens security after it is revealed that a simple virus can hack its electronic voting machines. Months later a hacker uses a picture of a key from the company website to make a real key that can open the company’s machines.”
– Intellectual Property Protection (DUH!)
– Physical Security
– System Firewalls
– Malware Controls
Can we please go back to good ol’ hand written ballots before Nov 2008?
2) “12. Procter & Gamble: Deep doo-doo: The parents of two Florida toddlers sue Procter & Gamble after they are surprised to find images of their children on packages of Luvs diapers. The parents say they were paid a “nominal fee” at a casting call but were promised an additional payment if the photos were selected.”
– Contractual Compliance
– Privacy principle: consent to use personally identifiable information (PII)…the photos
3) “16. Microsoft’s PR firm: And the Patricia Dunn Pretexting Award goes to … While working on an article about Microsoft, Wired contributing editor (and former Fortune writer) Fred Vogelstein receives a 13-page dossier about himself, describing him as “tricky” and his stories as “sensational.” The document, prepared by the company’s public relations firm, Waggener Edstrom Worldwide, as background for Microsoft executives, was sent inadvertently to the writer.”
– Email security: classic email OOPS!
4) “38. Google: Are you a moron? Click here now! To test Google’s ability to block harmful advertising, Belgian IT security consultant Didier Stevens posts an ad that reads “Is your PC virus-free? Get it infected here!” It is accepted by Google and displayed 259,723 times; 409 web surfers actually click on the ad.”
– Simply brilliant and outstanding information security awareness exercise! Way to go, Didier! (A fellow Security Catalyst Community member.)
5) “40. Comcast: Oh, Manny, you’re soooooo handy: Young Comcast customers in New Jersey are surprised when a scheduled showing of Disney Channel’s Handy Manny – featuring bilingual handyman Manny Garcia and his talking tools – is replaced by hard-core pornography. A parent says she will cancel her Comcast subscription just as soon as the NHL playoffs are over.”
– Change Control
– Quality Control
– I wouldn’t be surprised if someone will file a “pain and suffering” civil suit over this.
6) “44. Bank of America: Another subprime stunt: A Bank of America branch in Ashland, Mass., is evacuated after it receives a fax with the image of a lit match being held to a bomb’s fuse. The fax, sent by the company to alert employees to an upcoming promotion, somehow comes through without its text, which should read “The Countdown Begins … Small Business Commitment Week June 4–8.””
– Fax security, or possibly fax maintenance flub
– Quality Control / Change Control (maybe someone deleted the text on purpose as a ha ha)
7) “47. John Mackey: He’s also honest, humble, and nuttier than an organic fruitcake: “I like Mackey’s haircut. I think he looks cute.” — Whole Foods CEO John Mackey, posting under the screen name Rahodeb, on a Yahoo Finance stock forum. The Federal Trade Commission reveals that Mackey authored this and numerous other posts over an eight-year period, hyping his company and himself while trashing the competitor he hoped to acquire, Wild Oats.””
– “On the Internet nobody knows you’re a dog.”
Don’t take what you see on the Internet as verified facts…much is far from accurate or real.
8) “49. German screw factory: The red-light district in Amsterdam immediately closed: A worker in a German screw factory smuggles out 2,000 to 7,000 screws per night, ultimately stealing more than a million units. He sells the screws below cost on the Internet, artificially depressing the entire screw market.”
– Logging (screw inventory)
– Possibly separation of duties (who’s keeping their eye on the folks handling the screws?)
– Physical security
– Access control
9) “50. The Defense Department: Makes you wonder what it would cost to ship a million German screws: Exploiting a flaw in a Defense Department purchasing system, South Carolina parts supplier C&D Distributors rakes in $20.5 million in shipping fees on just $68,000 in sales. The scheme is finally detected when a Pentagon clerk spots a $969,000 bill for shipping two 19-cent washers to an Army base in Texas.”
– Change control
– Audit control
– Quality control
– Application testing
– SDLC
10) “51. Apple: One, two, three, four, we’ll sue you if you send us more: Nine-year-old Shea O’Gorman sends a letter to Apple CEO Steve Jobs suggesting ideas for improving her beloved iPod Nano, including adding onscreen lyrics so people can sing along. She gets back a letter from Apple’s legal counsel stating that the company doesn’t accept unsolicited ideas and telling her not to send in any more suggestions.”
– Completely silly. Okay, maybe not IT compliance, info sec or privacy related…well, perhaps how Apple may have used O’Gorman’s name or accompanying information…but completely silly, and horrible customer service; why are they shooting down someone who obviously loves their product and is inspired to suggest improvements? Yes, I’m sure the lawyers don’t want to end up being obligated to reimburse a 9-year-old for a brilliant idea they subsequently “already had planned to make”…
11) “54. Research in Motion: This is your brain on e-mail: BlackBerry users are forced to go cold turkey when maker Research in Motion’s servers go down for the better part of a day. “I felt like my left arm had been amputated,” says one. Six months later a number of prominent addicts – including venture capitalist Fred Wilson and Dilbert cartoonist Scott Adams – admit to experiencing phantom incoming-message vibrations even when not wearing their devices.”
– Availability
– Business continuity
– Disaster recovery
– And sad to think people are so attached to email…maybe we should have a worldwide “email-out” similar to the “smoke-outs” and “TV-outs” that are held?
12) “69. Exelon Nuclear: Good job. You’re fired. Exelon Nuclear terminates its contract with Wackenhut Security at its Peach Bottom plant in Pennsylvania after receiving a videotape showing a number of Wackenhut employees sleeping on the job. Exelon thanks the whistle-blower who shot the tape, then lets him go because he works for Wackenhut.”
– Surveillance
– Sanctions
– Perhaps lack of whistle-blower protection?
13) “72. Paris Hilton: Tort reform: That’s hot: Paris Hilton sues Hallmark after the company creates a greeting card depicting her as a waitress, served up with the following witty dialogue: “Don’t touch that, it’s hot.” “What’s hot?” “That’s hot.” Hilton, who had trademarked her catch phrase seven months earlier, claims commercial appropriation of her identity and invasion of privacy, seeking at least $100,000 in damages.”
– Lack of consent to use PII? (So claimed by the Hilton lawyer; however, the topic of how celebrity images can be used is hotly debated)
– Copyrights and trademarks
– Intellectual(?) property
14) “81. 365 Main: Fate’s here to see you, and she brought her wire cutters: On July 24, San Francisco data-center operator 365 Main issues a press release touting its 24/7 reliability: “In the unlikely event of a cut to a primary power feed, the state-of-the-art electrical system instantly switches to live backup generators, keeping the data center continuously running.” That day a power outage hits and three of its backup generators fail, taking down high-profile customers including RedEnvelope, Technorati, and Craigslist.”
– Business continuity
– Disaster recovery
– Egg on face…
15) “82. One Laptop Per Child: On the bright side, they’re learning a lot about anatomy: Nigerian schoolchildren receive $200 computers under the U.N. One Laptop Per Child program and quickly learn a few things nobody expected – such as how to find adult websites and how to store their favorite images on the computers’ hard drives. Program leaders say future laptops will be fitted with filters.”
– In the U.S., the Children’s Internet Protection Act (CIPA)
– Monitoring and filtering
– Access control
– Geesh, why didn’t someone think of putting filters on computers given to children? DUH!
16) “96. WikiScanner: All the vitriol that’s fit to print: Soon after the launch of WikiScanner – a website that links the editing of entries on Wikipedia with the computer networks where the changes were made – users uncover some newsworthy revisions: A Washington Post employee is found to have changed a reference to the owner of a rival paper from Philip Anschutz to Charles Manson, while someone at The New York Times added the word “jerk” 12 times to the entry on George W. Bush.”
– Change control
– Logging
– Access control
17) “97. Blogger: What comes up first when you Google “screwup”? Google’s Blogger software misidentifies a company-written blog as spam and automatically disables it.”
– Filtering
– Applications testing procedures
– Systems development life cycle
– Change control
18) “101. Maria Bartiromo: What, no action figure? In January, CNBC anchor Maria Bartiromo files to trademark her nickname, “Money Honey,” for use with a wide array of children’s products, including piggy banks, jigsaw puzzles, mousepads, comic books, and stuffed animals.”
– Copyrights and trademarks
– Intellectual property
– Access control (“Money Honey” merchandise won’t be coming near my sons for their access!)
Tags: awareness and training, CIPA, Didier Stevens, Fortune, Information Security, IT compliance, One Laptop Per Child, Paris Hilton, policies and procedures, privacy, privacy policy, risk management, security awareness, security training