How To Manage a Security Breach?

Salvance writes, "A friend of mine has recently been stressed over a security breach at the company he consults for. The company maintains dozens of Windows 98 desktops to support legacy software that cannot be easily replaced. Due to the inherent lack of security in Win98, a worm was able to infiltrate almost every computer and send gigabytes of data (possibly including sensitive company data) to a 'redirector' in Eastern Europe. My friend was working on other security projects at this company and stumbled across this massive hole. He quickly convinced company executives to remove Internet access from all Win98 machines, purchase better firewalls, and implement other data protection strategies. However, the sticking point was client notification. Due to the nature of the legacy systems, there was no way to know what data was transferred. For this reason the company wanted to play it safe and disclose nothing. Of course, my friend is all for disclosure and preventing harmful use of the potentially leaked data. My friend doesn't know what to do, so I'd like to know what others here think."

Too late to be an "unidentified source"

[Harmonious+Botch]

Your 'friend' has already screwed up. ( sorry to put it that baldly, but he has ) He was hired to deal with security issues, not legal ones. He never should have discussed client notification with them. When he starts expressing opinions about that, he is way outside of what he contracted to do. He may not have recognized this breach of manners, but, I assure you, they have.

Now, if he - or anybody else - leaks this, management will assume that it was him.