Another entry in the “Preventable Breach” and “We could have prevented this” columns. This appears to be all about change and configuration management. An area that really needs some work, clearly.

Brian Krebs announced last night that there has been a huge data leak at MBIA, the nation’s largest bond insurer. On Monday, he notified MBIA Inc. that a misconfiguration in a company Web server had exposed countless customer account numbers, balances and other sensitive data. Much of the information had been indexed by search engines. That includes a page listing administrative credentials that attackers could use to access data that wasn’t accessible via a simple Web search: https://krebsonsecurity.com/2014/10/huge-data-leak-at-largest-u-s-bond-insurer/

Let’s be honest, a misconfigured webserver simply should not happen. This is what makes this a preventable breach. This is the same class of problem as connecting a test server with a default password to the internet, like happened at Health…