[Dataloss] TJX breach shows that encryption can be foiled
Dissent
Dissent at pogowasright.org
Tue Apr 3 19:09:47 UTC 2007
Forwarded for snippage purposes.
Return-Path: <james_ritchie at sbcglobal.net>
Message-ID: <4612A466.1070707 at sbcglobal.net>
Date: Tue, 03 Apr 2007 15:00:54 -0400
So was my wife. If history can tell parts of the future, I think
that the next item will be a suit from the FTC for unfair business
practice which will end up with 10 m fine, 5 m relief, and every
other year an audit from a security specialist, for 20 years. That is
what Cardservices and Choicepoint settled with the FTC last year.
BTW, FTC has adopted GLBA as the standard to protect Business to
consumer relationships.
Sean Steele wrote:
>James,
>
>You pose some interesting questions re: what other regulations TJX is
>likely non-compliant with -- as a public company, I'd guess their SOX
>404 controls should be examined. GLBA may come into play, though they're
>not a finsrv company.
>
>Who is their PCI-DSS auditor and are the results of their most recent
>audit either able to be requested or legally discoverable outside a
>lawsuit?
>
>The PCI Security Standards Council is a private, non-profit
>organization, so FOIA can't be used to force disclosure from them,
>correct?
>
>FWIW, I was a victim of this breach. I had my debit card re-issued by my
>bank this week. It's the first one of 2007 for me ;-(
>
>--
>Sean Steele, CISSP
>infoLock Technologies
>703.310.6478 direct
>202.270.8672 mobile
>ssteele at infolocktech.com
More information about the Dataloss
mailing list