Re: TJX breach shows that encryption can be foiled

["B.K. DeLong" <bkdelong () pobox com>]

As I previously mentioned in my "rant", (which I really should post on
Attrition), the PCI Co is not disclosing the fines and loss of
processing privileges that is going on behind the scenes. Those with
influence, (press, vendors, customers), should endeavor to have PCI co
make at least minimal information public such as number of fines per
quarter and total amount money-wise as well as how many companies lost
processing privileges.

No public accountability....very dull teeth.

On 4/3/07, Dan Good <Dan.Good () evault com> wrote:
> Without quick severe financial penalties imposed, this will continue to
> happen.  Brand Damage is not enough because the companies that breach
> confidential customer data pass the buck and blame their vendor(s).
>
> -----Original Message-----
> From: dataloss-bounces () attrition org
> [mailto:dataloss-bounces () attrition org] On Behalf Of Dissent
> Sent: Tuesday, April 03, 2007 3:10 PM
> To: dataloss () attrition org
> Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled
>
> Forwarded for snippage purposes.
>
> Return-Path: <james_ritchie () sbcglobal net>
> Message-ID: <4612A466.1070707 () sbcglobal net>
> Date: Tue, 03 Apr 2007 15:00:54 -0400
>
> So was my wife.  If history can tell parts of the future, I think
> that the next item will be a suit from the FTC for unfair business
> practice which will end up with 10 m fine, 5 m relief, and every
> other year an audit from a security specialist, for 20 years. That is
> what Cardservices and Choicepoint settled with the FTC last year.
> BTW, FTC has adopted GLBA as the standard to protect Business to
> consumer relationships.
>
> Sean Steele wrote:
>
> > James,
> >
> > You pose some interesting questions re: what other regulations TJX is
> > likely non-compliant with -- as a public company, I'd guess their SOX
> > 404 controls should be examined. GLBA may come into play, though
> they're
> > not a finsrv company.
> >
> > Who is their PCI-DSS auditor and are the results of their most recent
> > audit either able to be requested or legally discoverable outside a
> > lawsuit?
> >
> > The PCI Security Standards Council is a private, non-profit
> > organization, so FOIA can't be used to force disclosure from them,
> > correct?
> >
> > FWIW, I was a victim of this breach. I had my debit card re-issued by
> my
> > bank this week. It's the first one of 2007 for me ;-(
> >
> > --
> > Sean Steele, CISSP
> > infoLock Technologies
> > 703.310.6478  direct
> > 202.270.8672  mobile
> > ssteele () infolocktech com
>
> _______________________________________________
> Dataloss Mailing List (dataloss () attrition org)
> http://attrition.org/dataloss
> Tracking more than 203 million compromised records in 609 incidents over
> 7 years.
> _______________________________________________
> Dataloss Mailing List (dataloss () attrition org)
> http://attrition.org/dataloss
> Tracking more than 203 million compromised records in 609 incidents over 7 years.


-- 
B.K. DeLong (K3GRN)
bkdelong () pobox com
+1.617.797.8471

http://www.wkdelong.org                    Son.
http://www.ianetsec.com                    Work.
http://www.bostonredcross.org             Volunteer.
http://www.carolingia.eastkingdom.org   Service.
http://bkdelong.livejournal.com             Play.


PGP Fingerprint:
38D4 D4D4 5819 8667 DFD5  A62D AF61 15FF 297D 67FE

FOAF:
http://foaf.brain-stream.org
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 203 million compromised records in 609 incidents over 7 years.