[Dataloss] TJX breach shows that encryption can be foiled

Sean Steele SSteele at infolocktech.com
Tue Apr 3 14:00:41 UTC 2007


I'm familiar with PCI-DSS standards for DAR encryption for cardholder
information, but less sure of retention requirements.

Does anyone know conclusively if TJX was simply retaining cardholder
data per regulations?

-Sean

-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of DAIL, ANDY
Sent: Tuesday, April 03, 2007 9:49 AM
To: dataloss at attrition.org
Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled



I don't care if you're using 1024 bit encryption with an atomic
booby-trap, there is no business reason to retain that much card data
for such a long period after authorization. Especially magnetic track
data!!

In the final analysis, if the data were not being retained, the data
could not be stolen.

TJX is a perfect case-in-point of a retailer who is afraid to purge
historical data, or does not spend the effort to triage the data to
determine what is obsolete.  Data Management policy anyone?



-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Chris Walsh
Sent: Monday, April 02, 2007 5:42 PM
To: dataloss at attrition.org
Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled



On Apr 2, 2007, at 2:44 PM, Casey, Troy # Atlanta wrote:

> It should make for a short list of suspects, assuming TJX was doing a
> reasonable job of key management...

That (reasonable key management) is a critical assumption.

I'd be interested in learning what algorithm (and implementation 
thereof) they were using, as well.

Not holding my breath on that info :^)

cw
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss Tracking more than 203 million compromised
records in 609 incidents over 7 years.

This message and any files transmitted with it is intended solely for
the designated recipient and may contain privileged, proprietary or
otherwise private information. Unauthorized use, copying or distribution
of this e-mail, in whole or in part, is strictly prohibited. If you have
received it in error, please notify the sender immediately and delete
the original and any attachments.
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss
Tracking more than 203 million compromised records in 609 incidents over
7 years.


More information about the Dataloss mailing list