[Dataloss] TJX breach shows that encryption can be foiled
Dan Good
Dan.Good at evault.com
Tue Apr 3 19:25:18 UTC 2007
Without quick severe financial penalties imposed, this will continue to
happen. Brand Damage is not enough because the companies that breach
confidential customer data pass the buck and blame their vendor(s).
-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Dissent
Sent: Tuesday, April 03, 2007 3:10 PM
To: dataloss at attrition.org
Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled
Forwarded for snippage purposes.
Return-Path: <james_ritchie at sbcglobal.net>
Message-ID: <4612A466.1070707 at sbcglobal.net>
Date: Tue, 03 Apr 2007 15:00:54 -0400
So was my wife. If history can tell parts of the future, I think
that the next item will be a suit from the FTC for unfair business
practice which will end up with 10 m fine, 5 m relief, and every
other year an audit from a security specialist, for 20 years. That is
what Cardservices and Choicepoint settled with the FTC last year.
BTW, FTC has adopted GLBA as the standard to protect Business to
consumer relationships.
Sean Steele wrote:
>James,
>
>You pose some interesting questions re: what other regulations TJX is
>likely non-compliant with -- as a public company, I'd guess their SOX
>404 controls should be examined. GLBA may come into play, though
they're
>not a finsrv company.
>
>Who is their PCI-DSS auditor and are the results of their most recent
>audit either able to be requested or legally discoverable outside a
>lawsuit?
>
>The PCI Security Standards Council is a private, non-profit
>organization, so FOIA can't be used to force disclosure from them,
>correct?
>
>FWIW, I was a victim of this breach. I had my debit card re-issued by
my
>bank this week. It's the first one of 2007 for me ;-(
>
>--
>Sean Steele, CISSP
>infoLock Technologies
>703.310.6478 direct
>202.270.8672 mobile
>ssteele at infolocktech.com
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss
Tracking more than 203 million compromised records in 609 incidents over
7 years.
More information about the Dataloss
mailing list