<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML dir=ltr><HEAD><TITLE>Message</TITLE>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.2963" name=GENERATOR></HEAD>
<BODY>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=077190221-19102006>Depending on the industry and depending on the
circumstances of the breach, it could be impossible for the merchant to notify
the people affected. A lot of retail systems store credit card numbers for
chargeback research, but the name of the card holder is not kept.
</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=077190221-19102006></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=077190221-19102006>When
one of these businesses is breached they know xxxxx number of card numbers were
possibly compromised, but not who the cards belong to (Magnetic stripe data
being an exception). In that event the company has no choice but to notify
their settlement provider, who will in turn notify the issuer, who can cross
reference card numbers with card holders.</SPAN></FONT></DIV>
<DIV> </DIV>
<DIV> </DIV><!-- Converted from text/rtf format -->
<P><SPAN lang=en-us><FONT face=Arial size=2>Andy Dail</FONT></SPAN> <BR><SPAN
lang=en-us><FONT face=Arial size=2>Sunoco</FONT> <FONT face=Arial size=2>PCI
Project Manager</FONT></SPAN> <BR><SPAN lang=en-us><FONT face=Arial size=2>(918)
586-6</FONT><FONT face=Arial size=2>1</FONT><FONT face=Arial
size=2>60</FONT></SPAN> </P>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV></DIV>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left><FONT
face=Tahoma size=2>-----Original Message-----<BR><B>From:</B>
dataloss-bounces@attrition.org [mailto:dataloss-bounces@attrition.org] <B>On
Behalf Of </B>Dennis Opacki<BR><B>Sent:</B> Thursday, October 19, 2006 3:43
PM<BR><B>To:</B> dataloss@attrition.org<BR><B>Subject:</B> Re: [Dataloss] VISA
/ 1ST BANK<BR><BR></FONT></DIV>
<DIV id=idOWAReplyText3213 dir=ltr>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2>The way I read the
notification, it didn't sound like the processor was affiliated with 1st
Bank:</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>"We would also like to reassure you that
the compromise of information occurred at a merchant card processor's
location, not FirstBank and therefore your account information at FirstBank
has not been obtained by these unauthorized indivuduals(SIC)." </FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>Perhaps they are just notifying customers
affected by another company's gaff? Must be a bad day if they didn't even
spell-check the notification before it went out..</FONT></DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>-Dennis</FONT></DIV></DIV>
<DIV id=idSignature22723>
<DIV><FONT face=Arial size=2></FONT> </DIV></DIV>
<DIV dir=ltr><BR>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> B.K. DeLong<BR><B>Sent:</B> Thu
10/19/2006 1:21 PM<BR><B>To:</B> Chris Walsh<BR><B>Cc:</B>
dataloss@attrition.org<BR><B>Subject:</B> Re: [Dataloss] VISA / 1ST
BANK<BR></FONT><BR></DIV>
<DIV>Is it that hard to find out who did the card processing for 1st
Bank?<BR><BR>
<DIV>On 10/19/06, <B class=gmail_sendername>Chris Walsh</B> <<A
href="mailto:cwalsh@cwalsh.org">cwalsh@cwalsh.org</A> > wrote:
<BLOCKQUOTE class=gmail_quote>On Thu, Oct 19, 2006 at 10:41:37AM -0400, B.K.
DeLong wrote:<BR>> Well, whomever it was will probably get wacked with a
HUGE fine for <BR>> violating PCI Security standards. I'm guessing it
won't take long to<BR>> determine who falls under approved card
processors for Visa.<BR><BR><BR>They might get fined, but not buy
Visa. Too much butter on that bread <BR>to throw it in the
bin.<BR><BR>The FTC, OTOH, may do some enforcement:<BR><A
href="http://www.emergentchaos.com/archives/2006/06/prediction.html">http://www.emergentchaos.com/archives/2006/06/prediction.html</A><BR><BR>Visa
has been zealously guarding the "privacy" of these processors since<BR>at
least December of 2005, when the Sam's Club stuff started to hit
the<BR>fan. Even Gartner called MC and Visa out on it:<BR><A
href="http://www.emergentchaos.com/archives/2005/12/gartner_to_visa.html">http://www.emergentchaos.com/archives/2005/12/gartner_to_visa.html</A><BR><BR>Chris<BR><BR></BLOCKQUOTE></DIV><BR><BR
clear=all><BR>-- <BR>B.K. DeLong (K3GRN)<BR><A
href="mailto:bkdelong@pobox.com">bkdelong@pobox.com</A>
<BR>+1.617.797.8471<BR><BR><A
href="http://www.wkdelong.org/">http://www.wkdelong.org/</A> Son.<BR><A
href="http://www.ianetsec.com/">http://www.ianetsec.com/</A> Work.<BR><A
href="http://www.bostonredcross.org/">http://www.bostonredcross.org/</A>
Volunteer.<BR><A
href="http://www.carolingia.eastkingdom.org/">http://www.carolingia.eastkingdom.org/</A>
Service.<BR><A
href="http://bkdelong.livejournal.com/">http://bkdelong.livejournal.com/</A>
Play.<BR><BR><BR>PGP Fingerprint:<BR>38D4 D4D4 5819 8667 DFD5 A62D
AF61 15FF 297D 67FE<BR><BR>FOAF:<BR><A
href="http://foaf.brain-stream.org/">http://foaf.brain-stream.org/</A>
</DIV></BLOCKQUOTE></BODY></HTML>
<table><tr><td bgcolor=#ffffff><font color=#000000>This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments.<br>
</font></td></tr></table>