[Dataloss] Consumers of Hannaford Brothers Co. Supermarkets File Class Action Suit
Edward White
ewhite at avrenter.com
Thu Mar 20 19:22:29 UTC 2008
There ought to be a law that retailers are not allowed to strip the
personal data from debit and credit cards when they pass through their
systems to the credit card companies. If a customer voluteers there
mailing information, that is one thing, but there is a whole market
behind the scenes in the retail industry where by personal information
of their clients is bought and sold. This is done supposedly so the
retailers can better address their target markets. If the retailers did
not have the info, there would be no data to breach.
This is the first measure to protect consumers, there many others, I do
not have the time to go into it right now.
-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Mike Simon
Sent: Thursday, March 20, 2008 2:25 PM
To: Rodney
Cc: dataloss at attrition.org
Subject: Re: [Dataloss] Consumers of Hannaford Brothers Co.
SupermarketsFile Class Action Suit
I've been quiet on the topic of certification, compliance and fault
based on these ideas so far, but I'm hearing some pretty strong
statements that I have problems with. The idea that a certification or
endorsement of compliance to a standard of protection should make the
certifying body responsible if data in subsequently lost seems a bit
harsh considering that the certifying agency had no control of the
operation of the compromised systems after they did their testing.
Essentially certification/compliance typically shows that at a
specific point in time the system met certain conditions - nothing
more. If the testing was never done, or it was done and the results
falsified that's one thing. Holding the auditors responsible for all
system behavior after that point in time is hard to fathom.
For me, that points to an increased need to audit IT practices in some
kind of continuous improvement loop (CMM level 5) rather than trying
to hang auditors out to dry every time someone mis configures their
firewall a few weeks after the last audit.
To answer your question, I would hold Visa responsible if they had
anything to do with falsely certifying conditions at Hannaford to be
safe, but not for putting in place a mechanism designed to improve the
overall stance of their partners and not somehow making it perfect.
On Thu, Mar 20, 2008 at 6:17 AM, Rodney <rwise29210 at gmail.com> wrote:
>
> Wouldn't you include Visa in the discovery if they certified Rapid7?
I use
> PayPal as my gateway and if anything ever happened I would sing names
like
> canary.
>
> Rodney Wise
>
> South East Ostrich Supply
> http://www.seostrich.com
>
>
>
>
> On Wed, 2008-03-19 at 17:58 -0700, Mike Simon wrote:
>
>
>
> I think you're right in also considering that the product was used
> correctly and just not up to the task, which raises an interesting but
> possibly off-topic question in my mind. If Rapid7 falsely attributes
> the incident to mis-use of their product in a public forum (the press
> release), essentially increasing the potential liability of Hannaford,
> it seems like Hannaford might have a cause of action against Rapid7.
> The cause of action is unrelated to the performance of their product,
> which I'm sure is well protected by the license agreement, but instead
> related to (potentially) false and (potentially) damaging statements
> about Hannaford's security practices.
>
> It seems to me that the statement in the revised press release has no
> real upside for Rapid7 true _or_ false. As someone stated earlier in
> this thread, they should have withdrawn the press release from their
> web site and taken their lumps.
>
> I'm certainly not a lawyer, and have NO knowledge of the incident,
> truthfulness of the subsequent Rapid7 disclaimers or really anything
> at all. This is intended as a discussion of hypothetical outcomes.
>
> Mike
>
> On Wed, Mar 19, 2008 at 5:40 PM, Jamie C. Pole <jpole at jcpa.com> wrote:
> >
> > Let's also consider the possibility the Hannaford WAS using the tool
> > correctly, and that it just didn't work as advertised.
> >
> > As far as the law firm being on the ball, trust me, they are. I know
this
> > firm well, and they will absolutely include Rapid7 in their
discovery
> > process. If I was senior management at Rapid7, I would NOT be
sleeping
> well
> > right now.
> >
> > The kiss of death in this case is going to be the fact that there
have
> been
> > around 1800 reported cases of fraud stemming from the incident. This
was
> > not an accident.
> >
> > Jamie
> >
> >
> > -----Original Message-----
> > From: dataloss-bounces at attrition.org
> [mailto:dataloss-bounces at attrition.org]
> > On Behalf Of Mike Simon
> > Sent: Wednesday, March 19, 2008 6:47 PM
> > To: lyger; dataloss-bounces at attrition.org; dataloss at attrition.org
> > Subject: Re: [Dataloss] Consumers of Hannaford Brothers Co.
Supermarkets
> > FileClass Action Suit
> >
> >
> >
> > This could not be a better example of why companies hesitate to
disclose
> > details. If this lawfirm is on the ball. They will get access to the
> > exchange with Rapid7 which, according to the press release changes,
> > indicates potential additional negligence in that the had a tool
that may
> > have prevented this problem and failed to use it properly. Not a
helpful
> > disclosure for Hannaford with respect to the class action.
> >
> > Mike
> >
> >
> >
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor
your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml
>
>
> Rodney Wise
>
> South East Ostrich Supply
> http://www.seostrich.com
> (803) 741-5636
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss
Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml
More information about the Dataloss
mailing list