[gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc

Rubens Kuhl rubensk at nic.br
Tue Feb 13 19:41:50 UTC 2018 

Chris,

When I found two vulnerabilities at the website in question, https://compliance.icann.org, ICANN informed that KPMG was in charge of that server. This was corroborated by OU field in the certificate indicating KPMG.  Since then, compliance.icann.org now redirects to https://mft.us.kpmg.com/ <https://mft.us.kpmg.com/> , making clearer that the data is being sent to KPMG.

From an ICANN message of the time (February 2016):
"(name) is on top of this and working with IT and KPMG to address it."



Rubens




> On 13 Feb 2018, at 17:11, Chris Pelling <chris at netearth.net> wrote:
> 
> Hi Rubens,
> 
> My understanding from doing these audit twice is that hte data is sent to an ICANN managed and controlled system, this is then sent onto the auditor KPMG in these cases.  That or KPMG has access to the data on the ICANN system.
> 
> Kind regards,
> 
> Chris
> 
> From: "Rubens Kuhl" <rubensk at nic.br>
> To: "Chris Pelling" <chris at netearth.net>
> Cc: "John Bambenek" <jcb at bambenekconsulting.com>, "gnso-rds-pdp-wg" <gnso-rds-pdp-wg at icann.org>, "Greg Aaron" <gca at icginc.com>
> Sent: Tuesday, 13 February, 2018 17:40:25
> Subject: Re: [gnso-rds-pdp-wg] Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc
> 
> 
> 
> On 13 Feb 2018, at 15:29, Chris Pelling <chris at netearth.net <mailto:chris at netearth.net>> wrote:
> 
> Sorry Greg,
> 
> Totally disagree based on the requirements of the RAA and data retention requirements.  Sending data to Icann for audits etc, to iron mountain for data escrow.
> 
> Way too much data in my opinion
> 
> 
> During audits data is sent to auditors, not to ICANN. I wouldn't trust ICANN InfoSec with such data and I think most contracted parties wouldn't either.
> 
> As for data escrow, it only contains registration data; while some information there is sensitive (like physical address), registrants would rather keep their domains in case of a registrar or registry collapse. Different from WHOIS publication, when the possible legitimate uses under discussions are of 3rd parties, escrow is a legitimate interest of the registrant. While I would like to see DPAs signing on that thinking to be sure we are on the safe side, it's not a balance, it is in place towards registrant benefit. The only grey area here is "right to be forgotten" after a domain is deleted or transferred; will a registrant be able to ask for such data removal, or is a domain registry like a land registry where the ownership history belongs to society not to individual owners of that piece of land ?
> 
> 
> 
> Rubens
> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180213/00581745/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 529 bytes
Desc: Message signed with OpenPGP
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180213/00581745/signature.asc>

More information about the gnso-rds-pdp-wg mailing list