Question about exploit exposing SSN & user info
My apologies if this question is inappropriate for this email list, but it is a
last resort and a friend recommended posting this question here.
In the last 36 hours I uncovered an exploit that compromises the private
information of thousands of individuals - including SSN and address
information. I cannot judge whether or not the exploit is easy to find. I do
know that if found, it would not be difficult to write a simple script in php
or perl to exploit the hole.
My concern is that the company responsible for this hole (for whom I am
currently employed) will patch the problem on seeing it occur on Monday (a good
thing) but do little or nothing to notify any user whose private information is
on their system (downplaying the likelihood of risk). This exploit has very
likely existed for years and whether or not a company typically keeps logs for
years is beyond my knowledge - the exploit is however detectable through web
log files. I also lack faith in the company's ability to make an objective
determination whether or not the exploit has been used to download the private
information of its' users.
My question is this - does anyone out there have any experience dealing with
this type of a situation? --- Where a company has silenced an exploit without
notifying customers who may have been victims of it? Does anyone have any
recommendations for a course of action I might take to somehow ensure users
whose private information may have been compromised are notified in the event
the company chooses to "sweep it under the rug"?
Again my apologies if my asking this question in the wrong forum has offended
anyone.
And many thanks to anyone who responds.