[Dataloss] TJX breach shows that encryption can be foiled

DAIL, ANDY ADAIL at sunocoinc.com
Tue Apr 3 13:49:26 UTC 2007



I don't care if you're using 1024 bit encryption with an atomic
booby-trap, there is no business reason to retain that much card data
for such a long period after authorization. Especially magnetic track
data!!

In the final analysis, if the data were not being retained, the data
could not be stolen.

TJX is a perfect case-in-point of a retailer who is afraid to purge
historical data, or does not spend the effort to triage the data to
determine what is obsolete.  Data Management policy anyone?



-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Chris Walsh
Sent: Monday, April 02, 2007 5:42 PM
To: dataloss at attrition.org
Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled



On Apr 2, 2007, at 2:44 PM, Casey, Troy # Atlanta wrote:

> It should make for a short list of suspects, assuming TJX was doing a
> reasonable job of key management...

That (reasonable key management) is a critical assumption.

I'd be interested in learning what algorithm (and implementation 
thereof) they were using, as well.

Not holding my breath on that info :^)

cw
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss Tracking more than 203 million compromised
records in 609 incidents over 7 years.

This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments.


More information about the Dataloss mailing list