Does anyone else, based upon the assumptions above, believe this statement to be patently incorrect (specifically, the part about 'personal information had not been at risk.') ?
Which not technically correct, they are not technically incorrect either.
Hm. One possible attack on BoA's data would be to log incoming udp port 1434 requests to your network, and cross reference the source addresses with BoA's netblocks. Now you have a list of verified vulnerable BoA MSSQL servers. While it's possible that _none_ of the vulnerable servers have _any_ 'personal information', I'd venture to guess otherwise. While I'm on the topic of attacking servers that attacked you first, can I get some opinions on the ethics of this? I think a targeted attack like the one I described above would surely be crossing the proverbial line, but what about an automated nmap scan of attacking hosts, where the data would be used for aggragate statistics? Thoughts? Ryan