Cites Security Breach Information Act in Disclosing Successful Attack

When Allegiance Telecom’s unit informed 4,000 web hosting customers last week that their passwords had been compromised by crackers, the company said it was “the correct thing to do.” But Allegiance also said a new California law obligated it to disclose the security breach.

The California Security Breach Information Act (full text here), which took effect on July 1, requires companies with customers in California to notify them whenever their personal information may have been compromised. “You want to make sure there’s full and complete disclosure as required by law,” Allegiance spokesman Jerry Ostergaard told Security Focus, which first reported the incident.

The statute compels disclosure if a break-in exposes a customers's Social Security number, credit card data or bank account information. The March 3rd intrusion at Allegiance's business involved usernames and passwords, but the company said it opted to disclose the breach anyway. Allegiance hosts about 30K active sites, with most running either Windows 2000 (12k) or Solaris (10k). Allegiance is currently operating in Chapter 11 bankruptcy, but has agreed to sell its assets to XO Communications for about $650 million.

Just 30 percent of organizations who acknowledged computer intrusions reported the incident to law enforcement, according to a 2003 survey by the FBI and the Computer Security Institute. Those who chose not to report intrusions cited negative publicity and the likelihood that competitors would use the revelations to their advantage. Some security professionals expect the stiffer disclosure requirements to prompt additional focus on securing systems.

Netcraft offers a range of advanced security services, including The Netcraft Network Examination, an automated vulnerability test of Internet-connected networks which checks for new security vulnerabilities and configuration errors caused by system and network maintenance.