Another article today at http://www.theregister.co.uk/2012/03/12/smut_site_hacked/ which talks about a site that was hacked. It is understandable that web technologies are weak for security and no-one would blame somebody for having their DNS poisoned or some root kit passed in a web request but this is another case of the basics being so wrong.
We are not talking about a site knocked up by a kid as a labour of love and therefore lacking the attention to security that might cause a breach, we are talking about Manwin, a European commercial organisation who have committed the heinous crime, not of having security weaknesses necessarily but of storing unencrypted credit card details and unencrypted user login details, both of which have potential value.
In this case, we know who hacked the site and it is unlikely to involve any fraud but why is it not illegal to do this? Why can a company not be massively fined or people even jailed for having suck a lacklustre attitude to personal information?
Currently in the UK, most of the time, you have to be prolific or someone with big pockets for the Information Commissioner to get involved, but this should not be the case. The law is clear about data protection and storing unencrypted credit cards should in itself be a specific crime so that the first time you are hacked, you can be jailed rather than always being given the benefit of the doubt.
I think our government are still very green when it comes to IT and Internet issues and we have people from an older generation trying to legislate about things they simply don't understand.
The issue is worse when we consider that a lot of sites are hosted elsewhere and come under different laws but again, we could have an internet standard which a site can display which proves they are compliant with certain security protocols (like OWASP) and which would have to be done in a way that cannot be easily faked such as a UK certificate authority or the like.