[Dataloss] Consumers of Hannaford Brothers Co. SupermarketsFile Class Action Suit

Thu Mar 20 20:50:56 UTC 2008

Wait, are you saying the personal information should be stored with the
transaction information? 

The card brands and issuers basically require the merchant to store the
PAN for a period after the sale in order to investigate chargebacks.
Most companies strip away any personally identifiable information and
store the PAN along with the sale information in order to reduce the
amount of data being store.  Certainly we wouldn't want to increase the
data merchants are required to store?  In most cases, when you hear of a
company storing too much information, it wasn't because they were
actually doing anything with it, it's because their payment systems are
so old the original currency accepted was "wampum" shells, and the
merchant is too cheap or uninformed to make any changes.

A few merchants do mine data , but most only store the credit card
information because the issuers will make them "eat" a chargeback if
they do not have the sales record.  Merchants could agree to accept that
charge and store nothing, but the prices of goods will simply increase
to cover the reduced margins. 

Alternatively, the issuers could implement chargeback procedures that
didn't require the merchants store data the settlement providers don't
want to store.

-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Edward White
Sent: Thursday, March 20, 2008 2:22 PM
To: Mike Simon
Cc: dataloss at attrition.org
Subject: Re: [Dataloss] Consumers of Hannaford Brothers Co.
SupermarketsFile Class Action Suit

There ought to be a law that retailers are not allowed to strip the
personal data from debit and credit cards when they pass through their
systems to the credit card companies.  If a customer voluteers there
mailing information, that is one thing, but there is a whole market
behind the scenes in the retail industry where by personal information
of their clients is bought and sold.  This is done supposedly so the
retailers can better address their target markets.  If the retailers did
not have the info, there would be no data to breach.

This is the first measure to protect consumers, there many others, I do
not have the time to go into it right now.

-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Mike Simon
Sent: Thursday, March 20, 2008 2:25 PM
To: Rodney
Cc: dataloss at attrition.org
Subject: Re: [Dataloss] Consumers of Hannaford Brothers Co.
SupermarketsFile Class Action Suit

I've been quiet on the topic of certification, compliance and fault
based on these ideas so far, but I'm hearing some pretty strong
statements that I have problems with. The idea that a certification or
endorsement of compliance to a standard of protection should make the
certifying body responsible if data in subsequently lost seems a bit
harsh considering that the certifying agency had no control of the
operation of the compromised systems after they did their testing.
Essentially certification/compliance typically shows that at a specific
point in time the system met certain conditions - nothing more. If the
testing was never done, or it was done and the results falsified that's
one thing. Holding the auditors responsible for all system behavior
after that point in time is hard to fathom.

For me, that points to an increased need to audit IT practices in some
kind of continuous improvement loop (CMM level 5) rather than trying to
hang auditors out to dry every time someone mis configures their
firewall a few weeks after the last audit.

To answer your question, I would hold Visa responsible if they had
anything to do with falsely certifying conditions at Hannaford to be
safe, but not for putting in place a mechanism designed to improve the
overall stance of their partners and not somehow making it perfect.

On Thu, Mar 20, 2008 at 6:17 AM, Rodney <rwise29210 at gmail.com> wrote:
>
>  Wouldn't you include Visa in the discovery if they certified Rapid7?
I use
> PayPal as my gateway and if anything ever happened I would sing names
like
> canary.
>
>  Rodney Wise
>
>  South East Ostrich Supply
>  http://www.seostrich.com
>
>
>
>
>  On Wed, 2008-03-19 at 17:58 -0700, Mike Simon wrote:
>
>
>
> I think you're right in also considering that the product was used
> correctly and just not up to the task, which raises an interesting but

> possibly off-topic question in my mind. If Rapid7 falsely attributes
> the incident to mis-use of their product in a public forum (the press
> release), essentially increasing the potential liability of Hannaford,

> it seems like Hannaford might have a cause of action against Rapid7.
> The cause of action is unrelated to the performance of their product,
> which I'm sure is well protected by the license agreement, but instead

> related to (potentially) false and (potentially) damaging statements
> about Hannaford's security practices.
>
> It seems to me that the statement in the revised press release has no
> real upside for Rapid7 true _or_ false. As someone stated earlier in
> this thread, they should have withdrawn the press release from their
> web site and taken their lumps.
>
> I'm certainly not a lawyer, and have NO knowledge of the incident,
> truthfulness of the subsequent Rapid7 disclaimers or really anything
> at all. This is intended as a discussion of hypothetical outcomes.
>
> Mike
>
> On Wed, Mar 19, 2008 at 5:40 PM, Jamie C. Pole <jpole at jcpa.com> wrote:
> >
> > Let's also consider the possibility the Hannaford WAS using the tool

> > correctly, and that it just didn't work as advertised.
> >
> > As far as the law firm being on the ball, trust me, they are. I know
this
> > firm well, and they will absolutely include Rapid7 in their
discovery
> > process. If I was senior management at Rapid7, I would NOT be
sleeping
> well
> > right now.
> >
> > The kiss of death in this case is going to be the fact that there
have
> been
> > around 1800 reported cases of fraud stemming from the incident. This
was
> > not an accident.
> >
> > Jamie
> >
> >
> > -----Original Message-----
> > From: dataloss-bounces at attrition.org
> [mailto:dataloss-bounces at attrition.org]
> > On Behalf Of Mike Simon
> > Sent: Wednesday, March 19, 2008 6:47 PM
> > To: lyger; dataloss-bounces at attrition.org; dataloss at attrition.org
> > Subject: Re: [Dataloss] Consumers of Hannaford Brothers Co.
Supermarkets
> > FileClass Action Suit
> >
> >
> >
> > This could not be a better example of why companies hesitate to
disclose
> > details. If this lawfirm is on the ball. They will get access to the

> > exchange with Rapid7 which, according to the press release changes,
> > indicates potential additional negligence in that the had a tool
that may
> > have prevented this problem and failed to use it properly. Not a
helpful
> > disclosure for Hannaford with respect to the class action.
> >
> > Mike
> >
> >
> >
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring

> solutions for large and small networks. Scan your network and monitor
your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml
>
>
>  Rodney Wise
>
>  South East Ostrich Supply
>  http://www.seostrich.com
>  (803) 741-5636
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments.