ncix NCIX Data breach 2018

[toor]

As of this afternoon my bank has heard nothing about this.  Most infuriating to say the least.   Their only response was a canned "check every month with reporting agencies."..  Then proceed to tell me I  could save money on their new master card.   

 

The banks, nor Government will do anything about this.  CBC will run another feel good story without any traction from anyone and it will die. 

 

It's not that there isn't money to be had, afterall if they passed _any_ PCI compliance or audits, those auditors are in some serious hot water - it's that they are lazy.  They've been sold on credit reporting solving any data breach concerns which is complete BS.

 

 

[TechyBen]

NCIX: Lets' fire our IT staff, *then* sell our old servers..

IT Staff: 
░░░░▄▄▄▄▀▀▀▀▀▀▀▀▄▄▄▄▄▄
░░░░█░░░░▒▒▒▒▒▒▒▒▒▒▒▒░░▀▀▄
░░░█░░░▒▒▒▒▒▒░░░░░░░░▒▒▒░░█
░░█░░░░░░▄██▀▄▄░░░░░▄▄▄░░░█
░▀▒▄▄▄▒░█▀▀▀▀▄▄█░░░██▄▄█░░░█
█▒█▒▄░▀▄▄▄▀░░░░░░░░█░░░▒▒▒▒▒█
█▒█░█▀▄▄░░░░░█▀░░░░▀▄░░▄▀▀▀▄▒█
░█▀▄░█▄░█▀▄▄░▀░▀▀░▄▄▀░░░░█░░█
░░█░░▀▄▀█▄▄░█▀▀▀▄▄▄▄▀▀█▀██░█
░░░█░░██░░▀█▄▄▄█▄▄█▄████░█
░░░░█░░░▀▀▄░█░░░█░███████░█
░░░░░▀▄░░░▀▀▄▄▄█▄█▄█▄█▄▀░░█
░░░░░░░▀▄▄░▒▒▒▒░░░░░░░░░░█
░░░░░░░░░░▀▀▄▄░▒▒▒▒▒▒▒▒▒▒░█
░░░░░░░░░░░░░░▀▄▄▄▄▄░░░░░█

[ZacoAttaco]

1 hour ago, TechyBen said:

NCIX: Lets' fire our IT staff, *then* sell our old servers..

See I don't know if this is accurate, in Australia, when you file for bankruptcy, solictors/liquidators take over to sell everything and the company doesn't really have any say.

 

Can anyone clarify this? Who would be responsible?

[TechyBen]

13 minutes ago, ZacoAttaco said:

See I don't know if this is accurate, in Australia, when you file for bankruptcy, solictors/liquidators take over to sell everything and the company doesn't really have any say.

 

Can anyone clarify this? Who would be responsible?

So, the liquidators sell Guns to people without checking if they are under 18? They don't check if the boxes contain illegal drugs, poisons, dead bodies, or criminal items?

 

Oh, and they also sell customer and private data on, because "Lolz, we are liquidators, and we don't follow any lawz, byzez, we got all the money..."

 

Something tells me liquidators are not above the law or moral decency.

 

PS, on an unrelated note and without hinting at what/how/who/when to avoid personal info, I am doing like exactly this same thing right now. Everyone was "quick, sell it/throw it out/get hundreds of people to help", I have been like "why?" they are "it will cost money", I'm like "so what, let it cost money, because are YOU going to be standing there when the police knock at your door if X/Y or Z turns up in those boxes you did not check? (I'd probably ask them to sign a bit of paper showing I had nothing to do with it!)"... yeah, they had no reply to that one, and so now I'm checking/doing it all proper.

 

[ZacoAttaco]

24 minutes ago, TechyBen said:

So, the liquidators sell Guns to people without checking if they are under 18? They don't check if the boxes contain illegal drugs, poisons, dead bodies, or criminal items?

 

Oh, and they also sell customer and private data on, because "Lolz, we are liquidators, and we don't follow any lawz, byzez, we got all the money..."

 

Something tells me liquidators are not above the law or moral decency.

I think you may have misunderstood my first comment. I'm saying the liquidators are probably the ones who should be in trouble, not necessarily NCIX. Some were saying it's the founders fault, (I'm guilty of this) but after learning more about bankruptcy I really don't think he's to blame.

 

Liquidators are definitely not above the law or moral decency and I think they're the ones that are going to be facing any legal action.

[TechyBen]

56 minutes ago, ZacoAttaco said:

I think you may have misunderstood my first comment. I'm saying the liquidators are probably the ones who should be in trouble, not necessarily NCIX. Some were saying it's the founders fault, (I'm guilty of this) but after learning more about bankruptcy I really don't think he's to blame.

 

Liquidators are definitely not above the law or moral decency and I think they're the ones that are going to be facing any legal action.

Ah. Right. Sorry.

 

It's kinda both though in this case. NCIX for not putting *some* form of protection on the servers. Such as encryption. Though I know securing such things remotely would be difficult, it would still need some form of securing.

 

Not having a system to erase/secure/recover them lies with NCIX. The data being sold/used illegally lies with the warehouse/liquidators.

 

NCIX put petrol down, the Warehouse/Liquidators set it ablaze!

[carpentry2010]

 

From CBC News 

RCMP and privacy Commissioner investigate alleged NCIX breach. 

 

Full  article in the link below.   

 

https://www.cbc.ca/news/canada/british-columbia/rcmp-and-privacy-commissioner-investigate-alleged-ncix-breach-1.4833976

[vanished]

13 hours ago, ZacoAttaco said:

I think you may have misunderstood my first comment. I'm saying the liquidators are probably the ones who should be in trouble, not necessarily NCIX. Some were saying it's the founders fault, (I'm guilty of this) but after learning more about bankruptcy I really don't think he's to blame.

 

Liquidators are definitely not above the law or moral decency and I think they're the ones that are going to be facing any legal action.

I'm not sure who's responsibility it was to wipe the servers, but regardless (and this is something that I think has been overshadowed by the fact all this leaked), NCIX was absolutely and exclusively at fault for storing data the way they were in the first place (completely unencrypted and unsecured in any meaningful way).  Had they followed proper procedures, even without wiping anything, the data should have been unrecoverable, period.  Were the situation different - say, NCIX was still operating normally, and nothing had been leaked - and it was found out that this is how they were storing things, it still would have been a big story, and for good reason.  I think that just speaks to the calamity of this leak in fact - that it has managed to completely overshadow something that in it's own right was already huge, but as a result of the bigger problem is getting almost no attention.

[Sober2ndThought]

On 2018-09-21 at 1:29 PM, This_guy1998 said:

Because the law isn't caught up to this day and age. Plus who are you going to sue if the company went under and supposedly the owner might of left the contiant. Essentially the trustees responsibility is to liquidate assets (both physical and non-physical), pay off debt, and then make sure overall the business is wound down (things like acting as HR, basic Customer service, and such).

The law covers all this. The problem runs a lot deeper.

 

It is actually a fundamental problem with how companies are organized and regulated in pretty much every country. Most companies are protected by what is called a corporate liability shield. This effectively shield corporations owners, and executives from any liability. Whether is the debts of the company, the negligence of the company or any other tort of the company.

 

This is a huge problem. It has created a situation which rewards people for being negligent, or even evil. Its not just tech its right across the board.

 

You can pass all the laws you want, but if there is no one who is taking personal responsibility for the violation of the law, what good is the law?

 

Legal Claim

 

First I just wanted to cover the actual legal claim. If you don't want to read it skip down to the real problem.

 

There is a really strong case for a tort claim under doctrine of negligence. Negligence has three elements: 1. Duty of Care Owed; 2. Duty of Care was Breached; 3. The breach led to a loss (damages). All three of these elements are present.

 

Furthermore, the Canadian Parliament recently passed the Digital Privacy Act which amended the Personal Information Protection and Electronic Documents Act (Canada) to cover this exact scenario. It includes mandatory breach notification requirements, enhanced powers for the Privacy Commissioner. But it only applies to Federally regulated industries such as Airlines, Banking and Broadcasting. Note Canada does not have an inter-state commerce clause, but Bankruptcy is Federally regulated (see s. 91(21): Constitution Act, 1867).

 

Provincially, the law largely mirrors the Federal Law. The British Columbia Personal Information Protection Act, governs and it largely mirrors the Federal Law. It also includes special protections for the personal information of employees. I am not sure if the B.C. Legislature has amended its law to include the Digital Privacy

 

Even then if the law only had protection for private paper data. Under Canadian law it would be extended to include electronic data. Under the Canadian rules of statutory interpretation, judges have a lot of desertion to interpret the law. One of the tenants of statutory interpretation is Eiusdem generis ("of the same kinds, class, or nature"), so in this case when it says paper records, the law would be read to include electronic records. Since it is a natural extension of the same class, a judge would extend the law to include electronic data. They basically look to the Legislature intent at the time, and how the Legislature would behave today.

 

The real problem is who is responsible? The law as it stands makes it difficult to make someone responsible in this kind of case.

 

NCIX

 

1. Duty of care is Owed:

 

NCIX had a duty of care to its employees and customers to keep their data secure. It can be proven by using the above referenced legislation under the doctrine of neglience per se. Even absent the legislation, they were entrusted with the information and likely they agreed to keep it secure.

 

2. Was there a breach of that duty of care:

 

There was a breach of that duty of care, they stored their data in a manner which was not at all secure, it was all either plain text or it had limited encryption.

 

3. Did the breach lead to damages:

 

That breach has led to people's Social Insurance Numbers ("SIN"), Credit Card, address history all being exposed. Which could lead to identity theft and when it does the customers and employees have suffered damages.

 

If NCIX still existed, there would be a really high probability that they could be successfully sued. But NCIX is bankrupt and therefore gone, we can try to collect from whatever bankruptcy process leaves behind, but really there is no NCIX to successfully sue.

 

Bankruptcy Trustee

 

1. Duty of care is Owed:

 

Yes, look at the law. I believe an accurate interpretation of the law would mandate that prior to selling the computer equipment the hard drives secure wiped or even destroyed. The basic question is are they like empty boxes which once stored a person's sensitive data or more like the sensitive data itself.

 

2. There is a breach of that duty of care:

 

Yes, the trustee had the duty to maintain the confidence of former employees and customers and to securely dispose of data properly once it comes into the trustee possession.

 

3. The breach has led to damages:

 

See above.

 

Now before you start jumping up and down thinking that we can sue the bankruptcy trustee, it is entirely possible the servers and computer equipment were never in the control of the bankruptcy trustee.

 

Its entirely possible that the landlord took the equipment before the trustee had taken control of NCIX. I note here that there was mention of unpaid rent. This could have gone one of two ways. The legal way, and the non-legal way.

 

The legal way. It is entirely possible that prior to going bankrupt, NCIX abandoned the lease to several warehouses with these servers. When the place was abandoned the landlord's have the right to seize all the property if NCIX made no serious attempt at regaining the property. Dean v. Kotsopoulos 2012 ONCA 143. In that case they are rightfully in the hands of the landlord.

 

Non-legal way. The landlord hearing about the bankruptcy of NCIX decided to seize all their property in the warehouse, including servers and data. Now we have a conversion claim against the landlord and the bankruptcy trustee could sue under the doctrine of conversion and get the equipment back and sue for data-theft.

 

This is so common, unfortunately. Disgruntled employees walk-away with equipment. Contractors move in and take what they can and try to flip it. Plenty of others will do the same including land lords. A bankruptcy trustee will try to secure what they can but even before they move in, stuff is already gone. Usually certain people (i.e. employees, landlords or contractors) have advanced notice that a bankruptcy is coming and they move in before the bankruptcy is declared.

 

In fact, I can tell you a story a colleague once told, she was a paralegal at a bankruptcy firm, after everything was done, all that was left was a very large collection of liquor. The partner gave her a box and said take what you want.

 

So really, this was entirely foreseeable, the blame goes back to NCIX. NCIX should have forseen that if it had not paid its rent, a landlord could legally or illegally seize the Severs and the information on the Servers could be exposed. So NCIX should have paid its rent and secured its servers.

 

The Company Executives

 

1. Duty of care is Owed:

 

No, NCIX is an incorporated company, there is no direct relationship between the customers and the company executives and therefore no duty is owed.

 

2. No duty, no breach.

 

3. No damages, no damages.

 

Real Issue

 

Imagine this, if Steve Wu knew that his failure to properly secure his employees and his customers data could mean that he would be personally sued, he would loose his house, he would loose his cars, face considerable personal problems, do you really think NCIX would have saved sensitive data in plain text format?

 

This is the real issue.

 

Prior to the passing of Limited Liability Act of 1855 (UK), all companies in the common law countries were partnerships. In that case, everyone who ran or invested in the company was liable for the debts and tortfeasence of the company. So in this case, even though the NCIX went bankrupt Steve Wu would be personally liable for the data breach, for also for all the debts of NCIX. There was also limited liability partnership as well, which only applied to professional organizations (i.e. law firms, accounting firms, and doctors etc), these limited liability for tortfeasence, if your lawyer screwed up your case, and it was just that one lawyer, then the other lawyers would not be liable for his screw up. But on debts and common torts, all the partners were liable. But with the liability shield, corporations are treated like "legal persons" and the corporations takes over all the duties and liabilities of the company. So if a company goes bankrupt, the company is liable for the debts. The shareholders, owners, the executives or the board of directors they are all protected from liability.

 

Now these were created for actually a very good reason. They were mostly a tool used by rail road companies in constructing new railway lines. It worked really well too, rail roads were risky ventures, you had to take on a lot of debt and there was no guarantee you'd succeed. But you could get investors to buy the rail road company in exchange for shares, if the company succeeded the investors made a lot of money, if the company failed, the investors lost their money but they would not be liable for the debts of the company. It was also good for society, fine railroad x failed, but it left behind a lot of railroad tracks. Usually the county, the province/state or the city would take it over, and create public transit. In fact most of our commuter rail systems are actually build on the back of failed railroad companies.

 

This system also worked well for a long time because companies were generally a long term venture. One passed from generation to generation. Therefore companies thought long term, and did not take risks which could damage the viability of the company. There were exceptions but there is a reason why so many companies have existed for 100+ years (think Ford, IBM, GE, etc). They would still take risks but generally it would be for the betterment of the company. I.e. Macys opening a store in a shopping mall rather down a downtown location because people's shopping preferences were moving to shopping malls.

 

Furthermore, other than in railroads, the failure of a business was viewed as a personal/moral failure on part of the executives. If your company failed people treated you like a failure. That acted as a check on your behaviour, and encourage executives to think long term.

 

The problem is after 1980 and 1990s, there was a culture shift in corporate world. Failure no longer has the same stigma, and arguably today it is a badge of honour. That shift has created the fleeting corporation. These are corporations created by people for the sole purpose of making as much money as possible in as little time as possible. These companies exist for the sole purpose of trying to make as much money as possible for the owners in as little time as possible. If they fail, who cares you made your money and walked away without any liability. Employees lost their job, not your problem.

 

The result is the owners and operators of fleeting corporations have little to no regard for long-term consequence of their actions. Executives at NCIX knew what they did was wrong, they knew they should have secured the data, but thhe did not because it would cost more and that would eat into their profits. They did this because it allowed them to maximize their personal profits. There was no reason for them to worry about the employees, customers or even NCIX because it would not negatively effect them.

 

Its not just new corporations, some even long term corporations like Sears have taken this approach. Rather than investing in an online store to compete with the likes of Amazon, the current group of executives simply moved all the bad assets from their other ventures into Sears and moved the more successful assets into their other ventures. Thus Sears is on the verge of bankruptcy and is bankrupt in Canada. Even better example, American banking executives in 2008 which took significant risks with mortgages, then paid themselves huge bonuses when everything crashed. One of the reasons no one was punished was there was no legal means to punish them.

 

You can sometimes pierce the corporate veil but it is a pretty high standard to meet, and it generally works better with small ma and pa type corporations than it does with large ones.

 

If you want real change its time to reform the corporate liability shield, make the directors liable for their at least their gross negligence in times like these. The UK has already started to move in this direction in relation to employees, criminal law and even patent law. Increasingly the corporate veil is pierced (for both small and large) corporations in the UK on these matters. North America lags behind. But if we want this same change, we need to get the message out to all our friends.

 

Adam Smith in his book the Wealth of Nations where he basically predicted this outcome when he criticized the corporate liability shield. He said, "companies, however, being the managers rather of other people's money than of their own, it cannot well be expected, that they should watch over it with the same anxious vigilance with which the partners in a private company frequently watch over their own.... Negligence and profusion, therefore, must always prevail, more or less, in the management of the affairs of such a company".

 

P.S. I apologize for not editing this properly I have to leave fairly quickly after typing it.

[This_guy1998]

1 hour ago, Sober2ndThought said:

-snip-

Good read, I'm from America so I don't know Canadian law. Like the stat holidays those aren't a thing here (holiday pay isn't required too).

 

Steve Wu probably knew the consequences of his actions when NCIX closed and appently a few people online claimed he went to China (which makes sense, because it sounded like he also folded NCIX money into other busineses of his (alot of them failed) and also wasted money on himself). Appently he can't even be contacted during this whole ordeal, one news company had of a recording of calling his phone and all they got was his voicemail (which had accent saying the it's Steve Wu's voicemail) which was full.

[toor]

I wouldn't go after NCIX directly nor the Trustee as they are likely to be thrown out.   Go after the freaking Auditors, for ONCE.   I'm soooo very tired of seeing companies "pass" an audit - some of which we have serious legal dependencies on -- like PCI.  Only to have that audit completely ignored.

 

There are many types but an audit is a form of  bond.   If you pulled this shit you'd be in jail.   Why on Earth are we still trusting these companies??  That is a question CBC will never answer given their own scandals.

 

Fun link re the slimeballs @ SNC-Lavalin :

 

https://www.theglobeandmail.com/report-on-business/sncs-fraud-corruption-hearing-set-for-2018/article28929552/

 

Might be why the RCMP got involved so early.

 

 

[leadeater]

4 hours ago, Ryan_Vickers said:

I'm not sure who's responsibility it was to wipe the servers, but regardless (and this is something that I think has been overshadowed by the fact all this leaked), NCIX was absolutely and exclusively at fault for storing data the way they were in the first place (completely unencrypted and unsecured in any meaningful way).  Had they followed proper procedures, even without wiping anything, the data should have been unrecoverable, period.  Were the situation different - say, NCIX was still operating normally, and nothing had been leaked - and it was found out that this is how they were storing things, it still would have been a big story, and for good reason.  I think that just speaks to the calamity of this leak in fact - that it has managed to completely overshadow something that in it's own right was already huge, but as a result of the bigger problem is getting almost no attention.

Other than encrypting the important data within the databases themselves it's actually difficult to prevent access to the databases and the information within them once you have the servers. When a company closes like this there isn't an opportunity given to wipe servers and data, just think of the legal issues that could cause when trying to do debtor recovery and looking for missing company assets and funds.

 

It's simple to say the data and databases should have been encrypted but the people involved had the actual servers with the encryption keys, locked doors do nothing to people with keys to the lock.

 

All that was required to get the databases was to boot the StarWind server using something like Hirens Boot CD, reset the local administrator password, reboot back to Windows, open StarWind iSCSI Target software and add the IP address of your computer, open iSCSI initiator on your computer and mount the iSCSI disks, boom you have the data. Now if the databases were encrypted yes you would not be able to read them but they also had the original MS SQL server intact with the encryption keys, so do the same on that server with Hirens, connect up the iSCSI disks (which would auto mount anyway), start up MS SQL Server, open SQL Server Management Studio and then read all the data you like, even remove the encryption.

 

You can do very little when someone has literally everything.

[vanished]

1 minute ago, leadeater said:

When a company closes like this there isn't an opportunity given to wipe servers and data, just think of the legal issues that could cause when trying to do debtor recovery and looking for missing company assets and funds.

Basically "they" (whoever was responsible, probably a combo of NCIX and the auction company or whoever was handling things post-bankruptcy) completely botched the handling of that whole process.  If data was needed off of those servers, it should have been retrieved and used as needed.  Once that whole stage is finished and you're ready to sell the servers, they obviously should have been completely wiped.  It's not like it's impossible to handle something like this properly, they just didn't in a big way.

 

3 minutes ago, leadeater said:

Other than encrypting the important data within the databases themselves..

Taht's what they should have done.  NCIX should have been storing everything in an encrypted fashion, and once the entire close-down procedure was finished, the keys should have been destroyed.  It's really just common sense the way I see it.  Do you have some industry insight that would suggest otherwise though?

[leadeater]

12 minutes ago, Ryan_Vickers said:

Do you have some industry insight that would suggest otherwise though?

A lot of data is not encrypted, passwords and such are but typically things like names and addresses are not. There's always a performance impact, or data storage efficiency etc basically there is a trade off to encryption, even just administratively, so you have to weigh up what is overall best. How likely do you actually need to encrypt that field/data, what's the attack profile.

 

It's common for application support people to have to diagnose processing errors, problems during upgrades, changes to data structures, myriad of other things and that is very hard or impossible when the data is encrypted. You can't do basic things like verify the data in that field is valid and could be why the processing is failing.

 

Generally you don't take in to account a situation like bankruptcy where you're kicked out and blocked access to your own stuff which can lead to people having the access required to get past what would normally be fairly standard and good security.

[vanished]

1 minute ago, leadeater said:

A lot of data is not encrypted, passwords and such are but typically things like names and addresses are not. There's always a performance impact, or data storage efficiency etc basically there is a trade off to encryption, even just administratively, so you have to weigh up what is overall best. How likely do you actually need to encrypt that field/data, what's the attack profile.

 

It's common for application support people to have to diagnose processing errors, problems during upgrades, changes to data structures, myriad of other things and that is very hard or impossible when the data is encrypted. You can't do basic things like verify the data in that field is valid and could by why the processing is failing.

 

Generally you don't take in to account a situation like bankruptcy where you're kicked out and blocked access to your own stuff which can lead to people having the access required to get past what would normally be fairly standard and good security.

Well, there is always the physical risk - someone breaks in and steals the server - but I can see what you mean and why they might not want to encrypt everything then.  Still, not only were they not even doing the bare minimum (passwords and credit card details), but (again), the whole process of selling it without going through the proper procedure is an epic fail.

[leadeater]

Just now, Ryan_Vickers said:

Well, there is always the physical risk - someone breaks in and steals the server - but I can see what you mean and why they might not want to encrypt everything then.  Still, not only were they not even doing the bare minimum (passwords and credit card details), but (again), the whole process of selling it without going through the proper procedure is an epic fail.

I imagine any investigations will be looking at the chain of possession and the sale of the data. I can't realistically see anything legally come from the data storage itself because honestly any system administrator or engineer given the same access to the servers as with NCIX could do the same to almost every small and medium business, physical access is always last line of defense.

 

This is why I like Kerberos so much, PKI/Certificates are too easily bypassed in this type of situation. Kerberos authentication requires that the authentication server is online, you have a valid user account and both the client and server are authenticated and validated.

 

The above diagram shows just the client but also the service itself has to authenticate so the service cannot fake that it is part of the same Kerberos realm and the client will reject the service/server.

 

Kerberos however is not suitable for web/internet authentication which is why PKI is used. The critical failure with PKI is when someone gets access to the service/server private keys, something you cannot do with Kerberos as the private keys are regenerated at time intervals and not stored permanently on the client or service/server. Kerberos has strict requirements on clock skew, everything needs to use the same time source, hence one the reasons it's impractical for internet authentication. The KDC is the standout single point of weakness because if you breach that you are the master over the whole authentication process and can impersonate anyone, making your KDCs very secure is a must but not hard.

https://en.wikipedia.org/wiki/Kerberos_(protocol)#Protocol

 

Pretty much in my view the only encryption you can rely on is at the application layer, once it's stored on a storage medium there is always a way to access it.

[GDRRiley]

well I'm happy the card I had when I shopped at NICX I got changed with a chip card with different details. 

God this just suck so much for so many

[Speed Weed]

11 minutes ago, GDRRiley said:

well I'm happy the card I had when I shopped at NICX I got changed with a chip card with different details. 

God this just suck so much for so many

It is suck to be a victim of Identity Theft because the company fail to protect your information like Equifax credit report company did for instance. I remembered there is a news threat posted here as well about T-Mobile stored customer password in a plain text. 

[GDRRiley]

1 minute ago, DaPhuc said:

It is suck to be a victim of Identity Theft because the company fail to protect your information like Equifax credit report company did for instance. I remembered there is a news threat posted here as well about T-Mobile stored customer password in a plain text. 

I know that based off my mom, she was one of the people who was part of the breach. 

[Speed Weed]

Just now, GDRRiley said:

I know that based off my mom, she was one of the people who was part of the breach. 

Plus, those people that are in lawsuit case against Equifax only received less than $100 compensation.....

[Sober2ndThought]

3 hours ago, toor said:

I wouldn't go after NCIX directly nor the Trustee as they are likely to be thrown out.   Go after the freaking Auditors, for ONCE.   I'm soooo very tired of seeing companies "pass" an audit - some of which we have serious legal dependencies on -- like PCI.  Only to have that audit completely ignored.

 

There are many types but an audit is a form of  bond.   If you pulled this shit you'd be in jail.   Why on Earth are we still trusting these companies??  That is a question CBC will never answer given their own scandals.

 

I worked at a large business firm which handled audits (I was not in the audit department). Everyone who worked in audit department knew the rules, make the client happy. When they said client it wasn't the shareholders, employees or customers, it was the Board and the Executives. How do you keep them happy, the company passes the audit. Simple.

 

The problem is if you want to sue, who do you sue. Do you see the partner who issued the order but made sure it was issued in a way that it could not be traced back to him/her? Do you sue the junior auditor who signed the audit, was just following the firm rules, is likely overworked and knows if they don't please their please their boss they are out of work? Or do you sue the entire audit department or even the entire firm? Problem is the only person liable is the junior auditor, unless there is a document trial it is difficult to sue the entire firm. Even Arthur Anderson was acquitted in the Enron Scandal. https://www.nytimes.com/2005/05/31/business/justices-unanimously-overturn-conviction-of-arthur-andersen.html

[toor]

 

3 hours ago, Sober2ndThought said:

Problem is the only person liable is the junior auditor, unless there is a document trial it is difficult to sue the entire firm.

 

I would think in the case where formal procedures are already established that is less of an issue.  The firm is signing off on those processes being not only implemented but actually followed.  Aside from the auditors themselves being involved in the fraud, they can be shielded.  They still can lose any professional licenses however (Doctors, Engineers, Accountants, etc).

 

IT is one field where there are a whole lot of people who shouldn't be anywhere near a computer, yet are paid very well.

 

3 hours ago, Sober2ndThought said:

Anderson was acquitted in the Enron Scandal. https://www.nytimes.com/2005/05/31/business/justices-unanimously-overturn-conviction-of-arthur-andersen.html

 

Enron also had a whole lot of people paid off.  It was more systemic abuse.   If I had my way all the reporters and media who pushed that agenda would be in prison too.   They however have walked free, on both sides of the border.   I'm not talking about local TV stations rather national broadcasts giving financial advise to millions.   Case in point Amanda Lang, Kevin O'Leary.  Bit OT for this thread though.

[Sober2ndThought]

The professions are equally subsciptable to it as IT. Heck the Big 4 accounting firms are now doing IT audits.

 

The reality is this, people who do audit work largely for commerical enterprises whose primary goal is to make as much money as possible. These are usually large organizations with a ton of overhead. Loosing a client, any client could be devstating for an organization.

 

The people who work there are under considerable pressure and are constantly divided between their duty to their profession and the needs of their businesses. There is pressure from the top down to bill as much as possible, and to keep evey client happy.

 

There are government audits, which are a bit different. Breaucrats work for the public purse and are largely immune from pressure. But those audits are generally done in connection with criminal investigations. Maybe that's the real solution, make storing and disposing data improperly a criminal offense.

 

[vanished]

4 hours ago, Sober2ndThought said:

The professions are equally subsciptable to it as IT. Heck the Big 4 accounting firms are now doing IT audits.

 

The reality is this, people who do audit work largely for commerical enterprises whose primary goal is to make as much money as possible. These are usually large organizations with a ton of overhead. Loosing a client, any client could be devstating for an organization.

 

The people who work there are under considerable pressure and are constantly divided between their duty to their profession and the needs of their businesses. There is pressure from the top down to bill as much as possible, and to keep evey client happy.

Sounds like a systemic/structural problem with how this is all done.

4 hours ago, Sober2ndThought said:

There are government audits, which are a bit different. Breaucrats work for the public purse and are largely immune from pressure. But those audits are generally done in connection with criminal investigations. Maybe that's the real solution, make storing and disposing data improperly a criminal offense.

Well obviously.  In fact, isn't it already?  I thought that's the problem - it is but it doesn't help.

[GilmourD]

On 9/21/2018 at 5:26 PM, ThePointblank said:

Richmond RCMP has indicated they have the drives:

 

 

 

Yeah, but like @Slick and @James said on the WAN Show, that data's been copied and sold to multiple people already. Having the drives is like having the gun after it's already killed a dozen people.