Over the past week, there has been an rash of sites which have been compromised to distribute malware. The basic idea of the attack is nothing new - legitimate sites are compromised so that when users visit them they download malicious software. What's new is the scope of the current wave (hundreds of thousands of pages compromised) and the highly trusted nature of the sites compromised (including pages run by the UN). Something else that's noteworthy about this latest rash of attacks is that it's note clear where to assign responsibility. Early reports (e.g., here) blamed a vulnerability in the Microsoft Internet Information Services server software. However, later reports (e.g., here and here) have said that the fault doesn't lie with Microsoft, but instead can be assigned to lax programming practices and more sophisticated bad guys.
So what, from a legal standpoint, happens now? The initial reports seemed to indicate a class action lawsuit in Microsoft's future. However, if the blame can't be pinned on Microsoft, what recourse do businesses who, through no fault of their own, end up having their web pages compromised have? While it still isn't clear what's going on, it could be that the answer is that those businesses have no recourse at all. Realistically, they won't be able to find the hackers, and, even if they do, the hackers are most likely judgment proof. They can't sue Microsoft if that company is blameless, and they can't go after their own employees for poor programming practices (if that's what's to blame). The bottom line is that the losses in this case might just be eaten by the entities who have already been victimized by hackers. It's a reminder of the limits of the legal system to shift risk, and a good example of why relying the legal system to protect a business from losses due to criminal behavior isn't a particularly good idea.