From: security curmudgeon (jerichoattrition.org)
Date: Fri Oct 26 2007 - 01:25:26 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---------- Forwarded message ----------
From: Paul Ferguson <fergdawgnetzero.net>

Via StorefrontBacktalk.

[snip]

Citing new information about the TJX data breach, attorneys suing the
clothing retail chain amended their complaints on Thursday and wants a
jury to evaluate TJX's security professionalism.

New details that emerged from documents filed in federal court Thursday
include:

A TJX consultant found that not only was TJX not PCI-compliant, but that
it had failed to comply with nine of the 12 applicable PCI requirements.
Many were "high-level deficiencies," the consultant said.

"After locating the stored data on the TJX servers, the intruder used the
TJX high-speed connection in Massachusetts to transfer this data to
another site on the Internet" in California. More than "80 GBytes of
stored data improperly retained by TJX was transferred in this manner. TJX
did not detect this transfer."

In May 2006, a traffic capture/sniffer program was installed on the TJX
network by the cyber thieves, where it remained undetected for seven
months, "capturing sensitive cardholder data as it was transmitted in the
clear by TJX."

[snip]

More:
http://storefrontbacktalk.com/story/102507tjxrevisedcomplaint
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]