PL charge City for alleged breaches of financial rules

[KS55]

I thought they used an existing users password, if so what exactly is poor about the security procedures?
Other than user education on cyber security, fundamentally it's down to human ineptitude not lax security; you don't change everyone's passwords when one person leaves a company.

You do, if he has access to the most important data. Just one dept needed to change.

 

[EricBrooksGhost]

You do, if he has access to the most important data. Just one dept needed to change.

Seriously, you don't. Have better security e.g. 2FA as per my edit to original post

 

[gocity]

Our IT security has been incompetent for as long as I can remember. I'm not going to go into huge and illegal details but I happen to know that there were business development and other meetings that you could just watch online if you had the right link all the way up until about 2020.

I t bad, not only on security, Ticketing, Season ticket foul ups, poor web design, lack of proper system testing whenever they made a big change

 

[StillBluessinceHydeRoad]

not sure how I feel about our response should we be fully cleared.

Obviously a very strong club statement to start.

Possibly to demand a similar public statement from media outlets.

A public declaration from the PL of our innocence ( as opposed to no guilty ) along with public acknowledgement of what the club has endured.

Not sure burning the world down around us would help as that would hurt us too.

We all feel angry and most of us probably want some bloodcurdling revenge on Masters, the PL and the cartel. But media outlets would simply refuse any such statement and probably add an insulting interpretation of the award. The PL would probably refuse also and issue a pious statement about its responsibility for maintaining the integrity of the league and its competition when clubs may have breached the very necessary rules. The MSM, the PL and the cartel know a fair bit about non-cooperation.

 

[Gone for a Burton]

Mate I live Ramsgate SE Kent and the local sports direct has very few City shirts. Only started stocking a few about 10 years ago, didnt even have any City stuff after the Aguero moment .Haven't seen a City calendar anywhere this year. Who needs shops when it's just as easy to buy online.
But there is a big increase in young kids wearing City kits.

Two young Asian girls on the golf range last night wearing City shirts, and lots of other young multi-ethnic lads round the place with City gear on.

Away from the bitter, envious and ignorant English media we get very fair & factual coverage.

The average international punter knows little or nothing about 115 cos its not reported front and centre.

They take us at face value....a great team !!

 

[chocovla]

I thought they used an existing users password, if so what exactly is poor about the security procedures?
Other than user education on cyber security, fundamentally it's down to human ineptitude not lax security; you don't change everyone's passwords when one person leaves a company.

Edit: I do agree that we should have more than just password based access i.e. 2FA; but if an existing user's password was used the flaw is with that user

In badly run companies these rights and roles are often found in several systems and sites therefore making it very hard to gauge which accounts someone has used. In more mature environments these rights are assigned using formal procedures with roles which can and should be revoked whenever someone leaves the company.

In this case someone left City, but their account was still there. Even worse, it was still active. A big nono. Therefore City should have had a better procedure for leaving users where all rights and roles are automatically revoked on the last day.

 

[Prestwich_Blue]

The first one was the unauthorised Liverpool access. Unauthorised access due to poor security procedures. Big wake-up call. The second was Pinto. A different kettle of fish, of course, But none of it reflects well on the efficiency of security management.

All imho, of course.

You're actually largely incorrect on this.

The Liverpool one involved the former City employees using an existing enployee's login credentials. I don't know how they got that password (although I'm sure City does) but I do know that the City employee involved was still there a few years later, and may still be. So he wasn't sacked, suggesting he wasn't actively involved in whatever happened. It still puzzles me why we didn't go to the police over this, as it was a clear criminal offence under the Computer Misuse Act.

My understanding of the Pinto hack is that it involved an phishing email designed to look like it came from UEFA, which was opened by a senior club official. You can warn people all you like and carry out regular phishing tests, but there's pretty well no way you can guarantee security if someone doesn't carefully check an email address every time before they open it or click on a link.

 

[Prestwich_Blue]

In this case someone left City, but their account was still there. Even worse, it was still active. A big nono. Therefore City should have had a better procedure for leaving users where all rights and roles are automatically revoked on the last day.

Wrong. See my post above.

 

[Gone for a Burton]

We all feel angry and most of us probably want some bloodcurdling revenge on Masters, the PL and the cartel. But media outlets would simply refuse any such statement and probably add an insulting interpretation of the award. The PL would probably refuse also and issue a pious statement about its responsibility for maintaining the integrity of the league and its competition when clubs may have breached the very necessary rules. The MSM, the PL and the cartel know a fair bit about non-cooperation.

There will be repercussions, revenge and celebrations.

The repercussions will be swift and public.

The revenge slow, cold and barely visible.

The celebrations long, loud and lional.

The Etihad then Deansgate !!

 

[chocovla]

So he wasn't sacked, suggesting he wasn't actively involved in whatever happened. It still puzzles me why we didn't go to the police over this, as it was a clear criminal offence under the Computer Misuse Act.

Which really baffles me. Therefore I think it was part of settlement. In my line of work it's normal operating procedure to always contact the local cybercrime units to report this sort of thing. Even attempted hacks are reported.