- BKK is the client of T-Systems. They have a contract for the development and maintenance of this system which might contain clauses about liability or indemnification in cases of hacking, security bugs, negligency, etc.
- This guy reported it to BKK who obviously don't have any technical knowledge
- BKK (the client) forwards the email to T-Systems (the contractor): "What's this about? Looks like hacking or something."
- Now T-Systems has two options: 1. Blame it on the guy, or 2. Take the blame for overpromising and screwing it up, possibly taking a financial loss of an unkown amount (depending on the contract and how widespread exploitation was)
That's unlikely. Every if you don't develop the system on your own and buy it from a third party (be it T-Systems or someone else), you still need technical expertise to prepare the requirements, evaluate the proposed solution (possibly proposals from multiple vendors) and do then do acceptance testing. So the "BKK obviously don't have any technical knowledge" claim is bogus.
It's possible the particular BKK person dealing with the report does not have technical knowledge, but that's more a fail on BKK side as they let incompetent people to deal with reports of security incidents.
But I'd bet it's merely a matter of covering broken shit and shifting blame. BKK is (probably?) a public company, managing transport in the capital city. They manage a lot of money, and it's not uncommon to funnel lucrative contracts to friendly companies, even if it increases price and the quality is dubious. Whoever came up with this project / awarded the contract / accepted the solution is probably scared people might start digging into the details. Better blame the problems on a hacker!
> Every if you don't develop the system on your own and buy it from a third party (be it T-Systems or someone else), you still need technical expertise to prepare the requirements, evaluate the proposed solution (possibly proposals from multiple vendors) and do then do acceptance testing.
I don't think this is true. When you buy a house, do you have to be able to do the specification and evaluate? This is a good analogy, because T-Systems have delivered similar solutions to other clients, what they needed here is a little bit of tailoring and integration (which is not the part that failed).
It is common for a typical western government to have domain specialists, working directly for them, to help write the contracts and requirements for their external contractors and vendors.
Definitely not the case. Huge numbers of SME clients evaluate tendered work on visual inspection alone. I've only had one or two clients ever (having worked in-house, contract, and for an agency) have had any knowledge of cyber security.
I think the hypothetical above is very reasonable. Lots of technical vendors will elect to shift blame. They should take responsibility for their issues, but they often don't.
Except that BKK is not a SME, but a company managing transportation in a city with nearly 2 million people. I've done work for similar organizations founded by municipalities (although smaller and not in Hungary), and pretty much all of them involved technically-skipped people in the process.
Perhaps BKK operates in a different way, but well - incompetence is not an excuse. It's a management failure.
- BKK is the client of T-Systems. They have a contract for the development and maintenance of this system which might contain clauses about liability or indemnification in cases of hacking, security bugs, negligency, etc.
- This guy reported it to BKK who obviously don't have any technical knowledge
- BKK (the client) forwards the email to T-Systems (the contractor): "What's this about? Looks like hacking or something."
- Now T-Systems has two options: 1. Blame it on the guy, or 2. Take the blame for overpromising and screwing it up, possibly taking a financial loss of an unkown amount (depending on the contract and how widespread exploitation was)