What Would You Do If You Were In His Position?
He felt that he had to seal the problem without exposing his key staff to higher management scrutiny. Call it loyalty, shrewdness, or just a plain old 'cover your ass' strategy, but he decided to batten down the hatches, attempt to retrieve the floating information from its online source, patch up all possible holes that he could find, slap a couple of people on the wrists, and ride out any storms that might have arisen.
There was no serious attempt to assess damage. This event clearly indicated that there was direct complicity between an administrative user and the hacker(s).
What was the potential for data damage? Databases containing tens of thousands of personal records possibly exposed. Machines handling thousands of credit card transactions possibly exposed. The complete network and server architecture was possibly exposed, and the highest echelon of IT administrators directly implicated in the firing line.
And it all went quietly away. This is a very subtle social engineering strategy that is often risked by hackers. If the potential for considerable damage to friends and brand is big enough, then there is a good chance that an intrusion will be allowed to sink from view, very quietly.
So what am I saying?
Am I implying that in addition to instances where you have been the victim of fraud and you know about it, that there are others that you do not know about? That there is a possibility that thieves out there may have information about you that has been stolen, and the situation has been elaborately covered up by the custodial organization? That there are instances where staff that have administrative responsibility for systems interact with hackers?
Am I saying that that's how it gets done? Am I saying that that's how the staggering levels of IT related fraud happen with almost total immunity from prosecution? That in many cases, where there is a significant threat to destabilization of a company infrastructure, or brand damage, or market depreciation, then an organization may decide to ride the hit and tighten security?
And More Examples...
Other examples of social engineering are also rampant, including some that apply to the end-user directly. Phishing is a form of social engineering. Another good example came about recently when hackers used excerpts from BBC News stories in emails, with a link at the end saying "Read more..." Users click on the link without checking it, or even questioning why they're getting emails from the BBC, and the next thing they know they're getting spyware and Trojans downloading onto their machines.
The list goes on and on, and so do the mistakes. In the problems that I have outlined above, it wasn't the security architecture that failed, it was the implementation, maintenance and basic adherence to protocol that did. The risks that this pose, both to the person and to the organization, are clear. Everything from credit card details to military secrets can be uncovered through clever social engineering, which essentially uses a lot of the manipulation tricks of the spy trade.