REQUIRES INFORMATION SECURITY MANAGEMENT.
“Precisamos montar um plano de ação urgente pois estão saindo muitas reporgtagens sobre o assunto e estou começando a ficar com medo.”
The Commercial Director…. was feeling fear….. AT LEAST, HE SAW IT COMING… but.. let’s say that the good thing is that he doesn’t have to fear anymore….
DISCLAIMER: I HAVE NOT BEEN INVOLVED IN THIS INCIDENT AND I DO NOT HAVE ANY LINK WITH IT. I DO NOT KNOW WHO WAS RESPONSIBLE FOR THE FACTS THAT ARE MENTIONED IN THIS ARTICLE. I DO NOT STORE ANY INFORMATION REALEASED. WHAT I USED WAS COPIED FROM THE CLOUD AND PUT HERE. I WIPED THE MEDIA INVOLVED TO BE SURE NOTHING IS IN MY EQUIPMENTS.
Tonight is February 21, 2019. Nowadays, the management of the security of information is not an optional for any company, it is a baseline. To manage the security of the information, you have to identify the information assets that you have. Not entering into detail, the concept is that those things that are most valuable for your company, are going to be the ones you will have to protect the most. If the company sells rare and hard to find books, they will have to focus on the proctection of those books. Not only that, you are going to classify them according to their value. The most expensive ones, should be protected more than those with the lower values. That’s the concept.
Now, if the core of the company is INFORMATION, then INFORMATION should be protected following the concept mentioned above. And if something is the CORE of your business, loosing that CORE means, OUT-OF-BUSINESS for the company.
It is not complicated to understand this idea. It was probably clear, even a hundred years ago, the concept of ISMS was surely not known, but common sense was surely applied for the same objetive.
What I am about tell you is something amazing, and is something were many things can be learn, and we might generate some interesting reflections about things, that are not so easy to undestand as what was explained in the first paragraph.
Imagine this scenario. The business of Insurance companies. That particular busines was for me the first one that, HAD to somehow start with some kind of RISK MANGAMENT. After all, it all comes to Insured things, let call them MONEY, and odds. Odds of dying for a 25-year-old person with a life insurance. Odds of being able to pay for a loan for a family in certain context, and so on.
Now, Imagine that we also have nine other companies that in some way or another, have a lot of information of all kinds.
Now lets imagine that there is a Holding that owns these, 10 companies. Not entering into the discussion of whether a holding produces goods or services itselft, just assume that they are the owners of the 10 companies.
Datawarehouse, Business Intelligence, Data Minning.., and Big Data. Those are tools that grab information from many sources and is able to process it a way that provides you certain key information that allows you to better decisions, and more revenue. INFORMATION, IS POWER, AND POWER, IS MONEY (I do not respect those who think in the opposite flow, for me MONEY is NOT POWER AT ALL). If you think that money is power, the please, do not keep reading my article, I do not want you to be my reader. I will tell you a little secret…. ummm. No, I will not tell you the secret, after all, it is secret, but I can give you a hinxt… money and air have many things in common….).
So information is power, and knowledge, is power as well. Think that all those systems mentioned above, for example, BIG DATA, can process information, and give you knowledge. That would be a powerful weapon. Well, it is a powerful weapon.
Lets go real, we are going to put names and internet addresses to the companies:
– www.passepag.com.br (Máquina de cartão)
– fontesseguros.com.br (Seguradora)
– www.deucredito.com.br (Financeira)
– fontespromotora.com.br (Venda de crédito junto a financeiras)
– www.medeirosmann.adv.br (Escritório de Advocacia)
– retentiva.com.br (Contact Center)
– asserttecnologia.com.br (Big Data for Business)
Do those names sound familiar for you? Maybe, Maybe not, but what at least, for me was amazing, was how each one had certain key information as part of their core, and if you you put together all the information from each company, you could know everything about everyone, about every company, about every family, everything! You know what that means? You have the knowledge to know what you can offer that person, and make the biggest profits from that.
Oh wait. There is one tiny detail I did not mention…
In the world, Information is regulated for serveral reasons. A company should only have the information that is required for the company to operate in their buisiness and people, have the right to know what information every company have about them. If the company is a reatail one that sells pendrives accepting cash or credit cards, then they would not requiere to know the income of their clients, or if they are married or not, etc. They might ask the customer their phone number, but the customer do no have to give that information if they do not want, and if their accept, the person should be informed about the reason why they want that information. And if the person accepts, he can then go to the seller of pendrives and request all the information stored about them, and he is able request the correction of information that is wrong, and he can also say, “I do not want you to have my phone number anymore, eliminate that record from your system”, and the company, must do it. Do you get the idea? (Ok, that is the theory, please do not be so naive to believe the world is perfect…. that is another discussion).
Let’s imagine the name of the holding is JEHOLDING. And lets imagine they put together all the information that each part of the holding stores. If the person was not told about that, then JEHOLDING is doing something that violates all those regulations about information. They are doing something very bad, they know everything about everybody without everybody know that. Now, as a person, that would really upset me a lot, to the point I would take civil actions against JEHOLDING, I DID NOT GAVE JEHOLDING MY PERMITION TO KNOW EVERYTHING ABOUT ME. I DO NOT WANT JEHOLDING TO KNOW EVERYTHING ABOUT ME. IT IS MY LIFE, AND IT IS ME WHO ACCEPTS OR NOT. THAT IS NOT A DECISITION OF JEHOLDING. It is my life, I use my money to go to a CASINO in Uruguay, and I use my credit card to pay for a motel room to have an affair with whoever I want. It is my money, it is my life. JEHOLDING does not have to know that I like buying expesive cars and I have a minor car accident on average one a year. That is the information the insurace company has, and I understand that for their business they have to have it. REMEMBER THIS: IF SOMEBODY WANTS TO ENTER IN YOUR LIFE, THEY HAVE TO ASK YOUR FOR YOUR PERMISSION. IT IS YOUR LIFE, AND YOU DECIDE.
DO YOU GET IT?
OKAY, imagine now that JEHOLDING DOES IT, has all the information. An you, YOU DON’T KNOW IT. PERIOD, END OF THE BASIS ON LAWS REGARDING TO PROTECTION OF PERSONAL INFORMATION, ETC.
Maybe, just maybe, somebody suspected that JEHOLDING was somehow violating those laws, and then the press, and then the media began a coverage.. and well, JEHOLDING said, well, we have to do something otherwise, we will be in trouble.
At this point we are going to STOP.
Last night, February 20, 2019. Somebody in Twitter makes some posts saying that in a few hours, all the information feeding that powerful weapon, was going to be disclosured.
Somebody in twitter saw that and for some reason, he thought that something interesting was going to happen.. so he followed that post. A few hours later, almost 300Gb of information of the companies, and of the “powerful” weapon and those in charge of it, was released. Posted in a public place on the Internet.
Now comes the first smile on the face of the person that thought something interesting was about to happen.
— — — — — Mensagem encaminhada — — — — —
De: Carlos Goulart <firstname.lastname@example.org <mailto:email@example.com> >
Data: 25 de agosto de 2017 16:46
Assunto: Blindagens dados Assert
Para: “Dra.Schéroon Cristina — Juridico” <firstname.lastname@example.org <mailto:email@example.com> >, Thiago Vieira <firstname.lastname@example.org <mailto:email@example.com> >
Dra. Boa tarde,
Falamos aqui e pegamos alguns exemplos de concorrentes para tentar assegurar ao maximo a Assert com relação a alguma eventual investigação,
Segue o que pensamos :
– Colocar um icone dentro do sistema em que os parceiros incluam, façam um upload de base de dados para dentro do consulta plus para consultar. Pensamos nisso para em uma eventual interrrogação eu fale que os correspondentes adquirem bases não sei aonde e colocam dentro do meu sistema para pesquisar, saber se tem algum contrato novo averbado dentro da fontes como possuímos 8000 parceiros cadastrados, montamos um grande banco de dados participativo.
– Fazer um contrato Fake com a Fontes, Facility, Sc consig e Deu Credito, esse contrato dando autorização para a Assert tratar os dados financeiros dos clientes.
– Inserir nas FF (espelho de contrato) a clausula que a Opice Blum mandou como sugestão.
– Contrato com a TELLI de tratamentos e fornecimento de dados para Gov SC
– Parecer sobre a clausula sugerira pela Opice Blum
– Efetuar um contrato(simbolico) com Serasa, Boa vista, Procoob para dar origem aos contatos telefonicos
Precisamos montar um plano de ação urgente pois estão saindo muitas reporgtagens sobre o assunto e estou começando a ficar com medo.
SHOWTIME. I have a trailer to share with you!
NOW, this is very very very interesting, isn’t? Well, YOU HAVE SEEN NOTHING YET.