#1 – I approved your link because I am a believer in free speech and opinion, but please, keep your tone respectful and if you would like to debate about an issue, that is fine, but please be respectful.

#2 – I think the bad guys thing is clear. The NCUA was about to start the process for inspecting the code and would have traced the attack had we not immediately notified them of the testing. In fact, they had already issued the fraud alert so any wide scale attack would likely have been thwarted.

#3 – Your mistake assertion is simply incorrect. The engagement was properly scoped, managed and performed. Certainly, some expected things happened during the incident handling process, but this is true more often than not. Quite simply, life is a chaotic system and we do our very best to control things, but the unexpected often occurs. Ask anyone who has ever been in a traffic accident about chaos. I do not see any way that we could have performed any differently than we did in this engagement. We had multiple levels of contact with the client and once those contacts were missed, we immediately stepped forward and alleviated the issue as soon as we knew about it.

#4 – The entire process shows a successful capability to handle these threats. Everyone from the NCUA, to the media, to the security community performed wonderfully by spreading the word. Awareness was raised and we set the bar went higher for criminals trying to exploit these forms of attack (like in the “laptops for governors” attack currently in progress).

So, at the end of the day, I extend my apologies to anyone who feels upset by the outcome, but we did everything we could to control the situation and proper safeguards were in place. Did the unexpected happen, sure it did, but I don’t know how we could have avoided it. I am sorry that we caused a commotion, but I think, in the end, it was a positive outcome for everyone. I can’t think of anything we would do differently, if we had it to do all over. In my mind, we communicated with the client, the NCUA and the folks involved as quickly and effectively as possible.

Thanks for your input and feedback. I appreciate you being a reader and I value your input and right to an opinion.

I see this as a large scale win for credit unions, the NCUA and information security, in general. It has really raised awareness of social engineering attacks and set the bar higher for criminals expecting to exploit these issues.

But you clearly F’d up. You didn’t account for time out of office/vacation and you didn’t have appropriate contact information to get a hold of your “get out of jail” contact, who could have nipped this in the bud. Perhaps you should included some lessons learned here, as I’m confident the upper management of said CU aren’t real happy w/ their name being dragged about, nor was the NCUA for going into crisis mode. The fact that the media jumped all over it is a testiment to their willingness to report anything w/o getting the facts.

If you really had control over this situation, the outcome would have been different. The test could have been completed, the alarms sounded, and the minor freak-out avoided. – Joe.