[Dataloss] TJX breach shows that encryption can be foiled

[B.K. DeLong]

If that isn't a loaded statement. So TJX is claiming all their credit
card data is always encrypted at-rest? How many people would have
access to such a "decryption tool". This sounds fishy.

On 4/1/07, lyger <lyger at attrition.org> wrote:
>
> http://www.boston.com/business/globe/articles/2007/03/31/tjx_breach_shows_that_encryption_can_be_foiled/
>
> Encryption alone is no panacea for threats to consumer data, according to
> specialists who say the technology's limit can be seen in the problems
> reported by TJX Cos. of Framingham.
>
> The notion of using complex math formulas to scramble electronic
> information is gaining steam as a way to protect individuals' privacy, an
> area of growing concern for retailers and banks as data thefts become more
> brazen.
>
> But recent details to emerge on how hackers accessed the parent of stores
> including T.J. Maxx and Marshalls show how encryption can be defeated by
> clever thieves -- and suggest the breach may have been an inside job.
>
> A securities filing by TJX on Wednesday disclosed that the incident may
> have compromised more than 45 million credit and debit card numbers, the
> most in any single incident. In the filing, TJX also stated that "we
> believe that the intruder had access to the decryption tool for the
> encryption software utilized by TJX."
>
> [...]
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
> Tracking more than 203 million compromised records in 609 incidents over 7 years.
>


-- 
B.K. DeLong (K3GRN)
bkdelong at pobox.com
+1.617.797.8471

http://www.wkdelong.org                    Son.
http://www.ianetsec.com                    Work.
http://www.bostonredcross.org             Volunteer.
http://www.carolingia.eastkingdom.org   Service.
http://bkdelong.livejournal.com             Play.


PGP Fingerprint:
38D4 D4D4 5819 8667 DFD5  A62D AF61 15FF 297D 67FE

FOAF:
http://foaf.brain-stream.org