Note Gossi's "If". There's no indication so far wrt possible payment.
There's nothing "likely" about it.
> On Friday 16 May we discovered the attack was more extensive than originally understood and that the group behind it had accessed a large amount of information relating to legal aid applicants.
> We believe the group has accessed and downloaded a significant amount of personal data from those who applied for legal aid through our digital service since 2010.
> This data may have included contact details and addresses of applicants, their dates of birth, national ID numbers, criminal history, employment status and financial data such as contribution amounts, debts and payments.
source: https://www.gov.uk/government/news/legal-aid-agency-data-bre...
Ransomed by Jeff Bezos.
Do you mean stolen by Jeff Bezos, or to imply that AWS has another copy of the data?
> Legal aid is the provision of assistance to people who are unable to afford legal representation and access to the court system. Legal aid is regarded as central in providing access to justice by ensuring equality before the law, the right to counsel and the right to a fair trial.
> The Legal Aid Agency is an executive agency of the Ministry of Justice (MoJ) in the United Kingdom. It provides both civil and criminal legal aid and advice in England and Wales.
egorfine•8mo ago
And that's about it. No repercussions will take place.
tgv•8mo ago
celticninja•8mo ago
aaronmdjones•8mo ago
1) Someone left an unpatched server exposed to the Internet for months with a known critical vulnerability.
2) Someone uploaded the data to a world-readable S3 bucket or similar, or left it in an Internet-accessible database server with no authentication.
3) Someone with administrative credentials was using the password "password1!" or similar with no two-factor authentication.
In an ideal world (not the world we live in), in these cases, that someone would be prosecuted for gross negligence.
pjc50•8mo ago
Something similar happened to the British Museum a couple of years ago. Almost certainly an even worse pay/qualifications employer.
egorfine•8mo ago
So, shall we not protect people's data?
jaoane•8mo ago
These are professionals. It’s their responsibility to build a solid, secure system. If they can’t or don’t want to then they should find another job.
oaththrowaway•8mo ago
AlotOfReading•8mo ago
ben_w•8mo ago
That might not be a bad thing, if the insurance comes with some kind of way to get lower premiums for being less risky.
lurking_swe•8mo ago
Sure a junior programmer or devops may do something dumb. That’s not the problem - at all. The problem is pretending they are a professional. They are not. They are juniors that need mentorship and should be _expected_ to mess up frequently.
To use a different analogy. If I bring my car to the mechanic, i’m OK with the new guy working on my car, assuming that the senior mechanic, you know, double checks their work. Is that not a reasonable assumption?
None of this makes ANY sense to me. To be blunt.
egorfine•8mo ago
Real situation btw.
netdevphoenix•8mo ago
jaoane•8mo ago
celticninja•8mo ago
There are services built by civil servant developers, that are built with security in mind, and they are not affected by this breach.
So it's nothing to do with being paid peanuts, or not wanting to do the best job possible.
It's very easy to backseat drive and offer opinions but your opinion is based on a fallacy.
lurking_swe•8mo ago
Makes sense. So if i’m understanding this right, the fault basically lies with the decision maker(s) in government who said “nope, not worth paying $x to secure/maintain our systems”
Sounds to me like they shouldn’t be allowed to create these public facing systems in the first place if they can’t afford (or don’t want to) maintain them. no?
That would be like paying someone to build a bridge for you and then deciding to purposely ignore maintenance on the bridge when the experts warn you it needs maintenance.
netdevphoenix•8mo ago
Have you ever worked in a government job? This is a common reality in those kind of roles. Reality doesn't neatly fit into: "I have enough money to build this thing I desperately need" and "I have enough money to maintain this properly" and "I have enough budget to run the country well enough not to get kicked out of the job"
lurking_swe•8mo ago
In his discipline at least, the government _certainly__ found the money to maintain critical infrastructure. Bridges were routinely painted. Inspected for cracks. The works.
When NYC’s aging water tunnels (providing tap water from upstate NY) were in major disrepair and engineers warned of the damage, guess what happened? They got the funding to build a replacement bypass tunnel to ensure NYC was not impacted. A multi-decade project scheduled to be completed very shortly. They planned ahead. They didn’t ignore the issue and then pretend they couldn’t have predicted this would happen (lol).
From what I can tell, the ONLY reason the same care isn’t given to our IT systems is because the decision makers in charge don’t care. Am i wrong?
I agree that reality is not simple. It’s unfortunate. :(
harvey9•8mo ago
celticninja•8mo ago
egorfine•8mo ago
Personally, I do not see any other way out of this other than somehow criminalizing running outdated software.
drexlspivey•8mo ago
caulkboots•8mo ago
drexlspivey•8mo ago
egorfine•8mo ago
anonymars•8mo ago
egorfine•8mo ago
What I was trying to say is that some orgs upgrade their Windows OS installations after a ridiculous amount of time. Like I have legit seen a company thinking to upgrade to Windows Server 2008. And knowing them I'm sure it will take years to implement.
anonymars•8mo ago
buserror•8mo ago
taffynay•8mo ago
rjmunro•8mo ago
Unfortunately these make it very hard for people to get contracts with the government, so most government contracts get awarded to a small number of contractors who can maintain the expertise needed to comply with the rules. Often they end up charging more than other companies and doing a worse job.