[Dataloss] More on the BofA card-cancellations

Adam Shostack adam at homeport.org
Fri Feb 10 12:13:34 EST 2006 

Thanks Sharon!

The only explanation(s) I can think of for not disclosing are ongoing
investigations, which is starting to get thin as details leak, and
that the data was "encrypted."

I don't believe that the encryption exemption is going to work,
because clearly these banks feel it's worth some expense to protect
their customers--therefore, any encryption in place was either weak,
or bypassed by the nature of the attack.

Adam

On Fri, Feb 10, 2006 at 08:51:05AM -0800, Sharon Besser wrote:
| According to
| 
| http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2006/02/10/BUG5HH5N841.DTL
| There was a security breach.  Here are some highlights from this
| article that also discuss the legal requirements to disclose
| information to the public.
| 
| 
| ".... But well-placed sources within the banking and credit card
| industries now tell me that the company in question is a leading
| retailer in the office-supply business.
| 
| Those sources also place the total number of consumers affected by the
| security breach at nearly 200,000.
| 
| Washington Mutual confirmed Thursday that it too was involved in the
| breach and is replacing customers' debit cards.
| 
| Banking industry sources said they were notified last month by Visa
| and MasterCard that the computer system of a prominent merchant had
| been penetrated by a computer hacker, and that account information for
| thousands of customers had been endangered.
| 
| Rosetta Jones, a spokeswoman for Visa USA, acknowledged Thursday that
| the incident involved a U.S. merchant that "may have experienced a
| data security breach resulting in the compromise of Visa card account
| information."
| 
| Sharon Gamsin, a spokeswoman for MasterCard International, said the
| credit card company had been informed of "a potential security breach
| at a U.S.-based retailer..... "
| 
| ---Sharon
| 
| 
| -----Original Message-----
| From: Chris Walsh [mailto:cwalsh at cwalsh.org]
| Sent: Friday, February 10, 2006 7:39 AM
| To: dataloss at attrition.org
| Subject: [Dataloss] More on the BofA card-cancellations
| 
| >From today's American Banker Online
| (http://www.americanbanker.com/datasecurityscan.html [paywall]):
| 
| Julie Davis, a B of A spokeswoman, told American Banker that to her knowledge
|                                                              ^^^^^^^^^^^^^^^^
| no major security breach has occurred in recent weeks at a third party that
|                                       ^^^^^^^^^^^^^^^
| works with B of A, and that the cards that were reissued were likely not
| connected to a single event.
| 
| 
| "It's part of our normal process to block and reissue cards when there is any
| potential for fraud," she said. A group of "customers receiving a letter don't
| necessarily indicate that they are from the same incident."
| ^^^^^^^^^^^
| 
| [I underlined certain parts]
| 
| Depending on what "recent" means, this *could* be Sam's Club fallout (among
| other things).  Of course, unless people actually reveal information, we will
| never know, will we?
| 
| _______________________________________________
| Dataloss mailing list
| Dataloss at attrition.org
| https://attrition.org/mailman/listinfo/dataloss
| 
| _______________________________________________
| Dataloss mailing list
| Dataloss at attrition.org
| https://attrition.org/mailman/listinfo/dataloss

More information about the Dataloss mailing list