[Dataloss] additional information on Advance Auto Parts data breech

[Henry Brown]

http://storefrontbacktalk.com/story/041108advanceauto

Unencrypted customer credit card information dating back to 2001 was 
among the customer payment data stolen from as many as 56,000 customers 
of Advance Auto Parts, according to one company official, who added that 
the chain is not PCI compliant.

The $4.8 billion automotive aftermarket parts chain—which dubs itself 
the nation's second largest such chain, with 3,261 stores in 40 states, 
Puerto Rico and the Virgin Islands—said the breach appears to have 
impacted customers from 14 of its stores in Georgia, Ohio, Louisiana, 
Tennessee, Mississippi, New York, Virginia and Indiana.

The breach—which revealed check, credit card and debit card 
data—apparently happened in February 2008 and was discovered "in early 
March," said Shelly Whitaker, the manager of public communications for 
Advance Auto Parts.

The initial investigation revealed that "the majority of [the stolen 
information] was old data" from December 2001 through December 2004 and 
that none of the older data had been encrypted, Whitaker said. She added 
that the chain currently encrypts payment data.

Whitaker said the old credit card data was still in the company's system 
because it was left over from some old network changes. "During a system 
conversation, the data had not been deleted," she said.

Advanced Auto Parts was not PCI compliant at the time of the data breach 
and is still not compliant, although Whitaker said the chain is "in the 
final stages" of having a PCI assessment completed. It had not been 
declared PCI compliant because of "an open item not related to this 
intrusion," which Whitaker declined to identify. "We should be compliant 
in the next couple of months," she said on April 11.