From the SANS NewsBites today: Credit Bureau Security Breached.
My favorite part is the fact that one login had authorization to access multiple records from TransUnion – according to the article, any record in the country. This account supposedly belonged to a courthouse in Kingman, AZ. I want to know two things:

1. WTH is an account from Arizona doing with authorization to access any credit information in the country?

2. Why doesn’t TransUnion own up to the fact that yes, it was a breach of their security systems? – A misconfiguration on their part is still a security breach.

With regards to 1, the account was obviously given to a court to access other people’s records, and I can understand having access to multiple records, what I don’t understand is why that account was not configured to only have access to the records that fall under the court’s jurisdiction? This is a good example of why we use the principle of least permissions. Yeah, the person you assign that account to might be trustworthy, but people who get ahold of that account information probably aren’t. If the court needed access to records belonging to another jurisdiction, they should request that information from a court in that other jurisdiction, not help themselves to it. Sure, it’s a bit more of a hassle, but that’s security for you.

With regards to 2, WTH? If a windows admin assigns the Guest User Administrative privileges, that’s an authorization misconfiguration and a security breach in my book. Sure, the admins may not be responsible because their higherups told them that the account was to have those permissions, but the higherups are definitely responsible.
</end rant>