NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Attrition Dataloss> 2007-04

Re: [Dataloss] TJX breach shows that encryption can be foiled

From: Dan Good (Dan.Goodevault.com)
Date: Tue Apr 03 2007 - 14:25:18 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Without quick severe financial penalties imposed, this will continue to
happen. Brand Damage is not enough because the companies that breach
confidential customer data pass the buck and blame their vendor(s).

-----Original Message-----
From: dataloss-bouncesattrition.org
[mailto:dataloss-bouncesattrition.org] On Behalf Of Dissent
Sent: Tuesday, April 03, 2007 3:10 PM
To: datalossattrition.org
Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled

Forwarded for snippage purposes.

Return-Path: <james_ritchiesbcglobal.net>
Message-ID: <4612A466.1070707sbcglobal.net>
Date: Tue, 03 Apr 2007 15:00:54 -0400

So was my wife. If history can tell parts of the future, I think
that the next item will be a suit from the FTC for unfair business
practice which will end up with 10 m fine, 5 m relief, and every
other year an audit from a security specialist, for 20 years. That is
what Cardservices and Choicepoint settled with the FTC last year.
BTW, FTC has adopted GLBA as the standard to protect Business to
consumer relationships.

Sean Steele wrote:

>James,
>
>You pose some interesting questions re: what other regulations TJX is
>likely non-compliant with -- as a public company, I'd guess their SOX
>404 controls should be examined. GLBA may come into play, though
they're
>not a finsrv company.
>
>Who is their PCI-DSS auditor and are the results of their most recent
>audit either able to be requested or legally discoverable outside a
>lawsuit?
>
>The PCI Security Standards Council is a private, non-profit
>organization, so FOIA can't be used to force disclosure from them,
>correct?
>
>FWIW, I was a victim of this breach. I had my debit card re-issued by
my
>bank this week. It's the first one of 2007 for me ;-(
>
>--
>Sean Steele, CISSP
>infoLock Technologies
>703.310.6478 direct
>202.270.8672 mobile
>ssteeleinfolocktech.com

_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 203 million compromised records in 609 incidents over
7 years.
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 203 million compromised records in 609 incidents over 7 years.

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]