May 05, 2011, 12:26 PM — >Except among political junkies and sports fans, the kick-'em-when-they're-down impulse is stronger among techies than probably any community that doesn't engage in cannibalism.
When a major figure screws up, there's not much sympathy, especially when the screwup puts that company's partners or customers at risk – with poor security that fails to protect personal data for tens of thousands who trusted that a major technology company would handle its security responsibly.
That's not only a violation of trust, it's a violation caused by negligence, ineptitude or simply being too cheap to shell out for the necessary level of security.
Sony, Epsilon, RSA, Sony again... and again, for example.
So how should you handle a data breach in a way that will keep people from emptying metaphorical bedpans on your grave?
Check this customer-update online password-management service LastPass posted last night.
LastPass didn't take a major hit like Sony, Epsilon, Sony and Sony did. It found two anomalies in server logs that indicated someone might have gotten into a secondary database that held customer emails, encrypted passwords and, possibly, enough data to make it possible to crack the server's password.
Rather sit on the information for a week or two, as Sony did, LastPass pulled the server and database offline, unplugged the box on which they lived and is rebuilding it.
It also let customers know what was happening – in detail – and what it planned to do about it.
The data that might have been taken – there's no confirmation it was – wasn't a list of passwords or customer list sitting in the open. It was a set of encrypted data blobs that would give data thieves the ability to try brute-force attacks on those specific passwords, then come back to LastPass to get the rest.
