[Dataloss] TJX breach shows that encryption can be foiled

Tue Apr 3 17:46:43 UTC 2007

I think Andy's got it covered but I'm confident the amount of data
(including Track 2) they were retaining was above and beyond the
PCI-DSS maximum; especially with such a failure cryptography-wise.

On 4/3/07, Sean Steele <SSteele at infolocktech.com> wrote:
> I'm familiar with PCI-DSS standards for DAR encryption for cardholder
> information, but less sure of retention requirements.
>
> Does anyone know conclusively if TJX was simply retaining cardholder
> data per regulations?
>
> -Sean
>
> -----Original Message-----
> From: dataloss-bounces at attrition.org
> [mailto:dataloss-bounces at attrition.org] On Behalf Of DAIL, ANDY
> Sent: Tuesday, April 03, 2007 9:49 AM
> To: dataloss at attrition.org
> Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled
>
>
>
> I don't care if you're using 1024 bit encryption with an atomic
> booby-trap, there is no business reason to retain that much card data
> for such a long period after authorization. Especially magnetic track
> data!!
>
> In the final analysis, if the data were not being retained, the data
> could not be stolen.
>
> TJX is a perfect case-in-point of a retailer who is afraid to purge
> historical data, or does not spend the effort to triage the data to
> determine what is obsolete.  Data Management policy anyone?
>
>
>
> -----Original Message-----
> From: dataloss-bounces at attrition.org
> [mailto:dataloss-bounces at attrition.org] On Behalf Of Chris Walsh
> Sent: Monday, April 02, 2007 5:42 PM
> To: dataloss at attrition.org
> Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled
>
>
>
> On Apr 2, 2007, at 2:44 PM, Casey, Troy # Atlanta wrote:
>
> > It should make for a short list of suspects, assuming TJX was doing a
> > reasonable job of key management...
>
> That (reasonable key management) is a critical assumption.
>
> I'd be interested in learning what algorithm (and implementation
> thereof) they were using, as well.
>
> Not holding my breath on that info :^)
>
> cw
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss Tracking more than 203 million compromised
> records in 609 incidents over 7 years.
>
> This message and any files transmitted with it is intended solely for
> the designated recipient and may contain privileged, proprietary or
> otherwise private information. Unauthorized use, copying or distribution
> of this e-mail, in whole or in part, is strictly prohibited. If you have
> received it in error, please notify the sender immediately and delete
> the original and any attachments.
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
> Tracking more than 203 million compromised records in 609 incidents over
> 7 years.
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
> Tracking more than 203 million compromised records in 609 incidents over 7 years.
>

-- 
B.K. DeLong (K3GRN)
bkdelong at pobox.com
+1.617.797.8471

http://www.wkdelong.org                    Son.
http://www.ianetsec.com                    Work.
http://www.bostonredcross.org             Volunteer.
http://www.carolingia.eastkingdom.org   Service.
http://bkdelong.livejournal.com             Play.

PGP Fingerprint:
38D4 D4D4 5819 8667 DFD5  A62D AF61 15FF 297D 67FE

FOAF:
http://foaf.brain-stream.org