[Dataloss] BoA breach - possible Wal-Mart connection?

Chris Walsh cwalsh at cwalsh.org
Sat Feb 11 21:05:43 EST 2006 

And to be specific, is it Sam's Club, which was reported as being  
breached in early December 2005, and where Wal-Mart denied that a  
computer system of theirs had been compromised?  Where Gartner and  
American Banker chided Visa and MC for hordeing info and playing  
favorites?  Where PCI standards were not followed and stripe data  
were stored?  Wow.

The connection between the BofA/Wamu/Wells Fargo card reissues, and  
the earlier one by Regions Bank, and the months earlier ones by the  
Alabama Credit Union, et. al. is one I semi-drew  (http:// 
www.emergentchaos.com/archives/002414.html).  I didn't think there  
was enough to pin it on Sam's Club, especially since BofA said a  
processor wasn't involved. How would a retailer lose so much info,  
especially since reports in December were that the detected frauds  
likely were from customers who bought gasoline at Sam's Club?

Sam's Club said this on 12/2/2005 (http://www.prnewswire.com/cgi-bin/ 
stories.pl?ACCT=104&STORY=/www/story/12-02-2005/0004227070):

" SAM'S CLUB stressed that the electronic systems and
databases used inside its stores and for http://samsclub.com are not  
involved."

So, databases "inside its stores" and the web site didn't get  
penetrated.  That leaves, uh, POS devices, and....dare I say  
it...*wireless*?   If we find out that they got p0wned via wireless  
(a la Lowes, back in 2003?) I will fall off my chair.

This could be huge.  Wal-Mart wants to get into the banking business,  
and (if true) this isn't exactly a ringing endorsement.

Early in December, I had some fun with ID Analytics and used their  
numbers to argue that this breach would have exposed 600,000  
accounts.  It doesn't seem like fun, now.

On Feb 11, 2006, at 6:54 PM, lyger wrote:

>
>
> Bank Card Reissues May Be Linked to Wal-Mart Breach
>
> By Paul F. Roberts and Matt Hines <mailto:matt_hines at ziffdavis.com>
> February 10, 2006
>
> In what appears to be a widening incident, Bank of America,  
> MasterCard and
> Visa all announced this week that they have been informed of a  
> potential
> security breach at a U.S.-based retailer.
>
> The companies refused to name the retailer involved, but at least  
> one bank
> said that systems belonging to Wal-Mart Stores, the world's largest
> retailer, may be to blame.
>
> http://security.ithub.com/article/Bank+Card+Reissues+May+Be+Linked 
> +to+WalMar
> t+Breach/171328_1.aspx
>
> _______________________________________________
> Dataloss mailing list
> Dataloss at attrition.org
> https://attrition.org/mailman/listinfo/dataloss

More information about the Dataloss mailing list