SimplicIT Blog

In a continuation from my last post, this post is about the Iowa Gaming Commission hack. Today the Des Moines Register noted my opinion of the incident and a concurring opinion from Iowa State University Professor Qing Hu.

This post is about what the State did right, and about how this relates to local businesses and consumers.

Assuming I was correct in my last post, the hacker was actually a routine virus. That is, the server containing the employee database became infected with a virus. The virus was removed within 30 minutes, and this hoopla ensued. Some people might wonder why such a big deal was made if the information wasn’t at risk. The answer is, quite simply, because they’re required to by law. It’s a mandatory incident response. The stuff about the Chinese government wasn’t necessary, but I digress.

Consider this –

Your dentist, physician, insurance agent, accountant, and financial advisor all have private information about you — your name, date of birth, social security number, and probably a lot more. They are indeed regulated — HIPAA and GLBA for example — but when’s the last time you asked for an independent auditor’s report of compliance?

Because.. psst… they probably aren’t compliant OR secure! And they probably have data breaches far worse than this at least once a year. They just don’t report them. Not because they’re malicious. They just didn’t realize it was a breach… or that incident response was required.. or what it even is.

And that credit card that you’re afraid to use online? Most online merchants undergo PCI-DSS compliance auditing and are actually relatively safe. The tanning salon that charges you every month? Some of them keep a text file with a list of names, credit card numbers, and expiration dates on the same machine that the frontdesk staff download Limewire on.

Ignorance is not an excuse, but that is precisely what small businesses claim. Even when told that their contract with Visa requires PCI-DSS compliance, they’re unlikely to make any changes.

Taking all of that into account — I commend the State on not trying to sweep this under the rug and instead following their proper procedures. I only wish small businesses knew to do the same.