Keeping the usernames and passwords of customers in a database vulnerable to the outside – and not realizing or reporting the loss of that data when it happened – indicates more than just lax security.
For the SCADA vendor it shows unforgiveable negligence toward both security and customers.
The vendor should have known it had been hacked, understood the implications of the kind of data it lost and warned customers its negligence had made vulnerable.
That it apparently did none of these thing is a crime in itself.
It's a crime with plenty of accomplices, however.
Three characters for a password? Really South Houston?
"I wouldn't even call this a hack, either. This required almost no skill and could be reproduced by a two year old with a basic knowledge of Simatic," pr0f posted, downplaying the accomplishment while appropriately humiliating the victim.
Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.