BreachExchange mailing list archives
Re: More on the BofA card-cancellations
From: Adam Shostack <adam () homeport org>
Date: Fri, 10 Feb 2006 12:13:34 -0500
Thanks Sharon! The only explanation(s) I can think of for not disclosing are ongoing investigations, which is starting to get thin as details leak, and that the data was "encrypted." I don't believe that the encryption exemption is going to work, because clearly these banks feel it's worth some expense to protect their customers--therefore, any encryption in place was either weak, or bypassed by the nature of the attack. Adam On Fri, Feb 10, 2006 at 08:51:05AM -0800, Sharon Besser wrote: | According to | | http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2006/02/10/BUG5HH5N841.DTL | There was a security breach. Here are some highlights from this | article that also discuss the legal requirements to disclose | information to the public. | | | ".... But well-placed sources within the banking and credit card | industries now tell me that the company in question is a leading | retailer in the office-supply business. | | Those sources also place the total number of consumers affected by the | security breach at nearly 200,000. | | Washington Mutual confirmed Thursday that it too was involved in the | breach and is replacing customers' debit cards. | | Banking industry sources said they were notified last month by Visa | and MasterCard that the computer system of a prominent merchant had | been penetrated by a computer hacker, and that account information for | thousands of customers had been endangered. | | Rosetta Jones, a spokeswoman for Visa USA, acknowledged Thursday that | the incident involved a U.S. merchant that "may have experienced a | data security breach resulting in the compromise of Visa card account | information." | | Sharon Gamsin, a spokeswoman for MasterCard International, said the | credit card company had been informed of "a potential security breach | at a U.S.-based retailer..... " | | ---Sharon | | | -----Original Message----- | From: Chris Walsh [mailto:cwalsh () cwalsh org] | Sent: Friday, February 10, 2006 7:39 AM | To: dataloss () attrition org | Subject: [Dataloss] More on the BofA card-cancellations | | >From today's American Banker Online | (http://www.americanbanker.com/datasecurityscan.html [paywall]): | | Julie Davis, a B of A spokeswoman, told American Banker that to her knowledge | ^^^^^^^^^^^^^^^^ | no major security breach has occurred in recent weeks at a third party that | ^^^^^^^^^^^^^^^ | works with B of A, and that the cards that were reissued were likely not | connected to a single event. | | | "It's part of our normal process to block and reissue cards when there is any | potential for fraud," she said. A group of "customers receiving a letter don't | necessarily indicate that they are from the same incident." | ^^^^^^^^^^^ | | [I underlined certain parts] | | Depending on what "recent" means, this *could* be Sam's Club fallout (among | other things). Of course, unless people actually reveal information, we will | never know, will we? | | _______________________________________________ | Dataloss mailing list | Dataloss () attrition org | https://attrition.org/mailman/listinfo/dataloss | | _______________________________________________ | Dataloss mailing list | Dataloss () attrition org | https://attrition.org/mailman/listinfo/dataloss _______________________________________________ Dataloss mailing list Dataloss () attrition org https://attrition.org/mailman/listinfo/dataloss
Current thread:
- More on the BofA card-cancellations Chris Walsh (Feb 10)
- <Possible follow-ups>
- Re: More on the BofA card-cancellations Sharon Besser (Feb 10)
- Re: More on the BofA card-cancellations Adam Shostack (Feb 10)
- Re: More on the BofA card-cancellations Chris Walsh (Feb 10)
- Re: More on the BofA card-cancellations Sharon Besser (Feb 10)
- Re: More on the BofA card-cancellations Chris Walsh (Feb 10)
- Re: More on the BofA card-cancellations Adam Shostack (Feb 10)
- Re: More on the BofA card-cancellations security curmudgeon (Feb 10)
- Re: More on the BofA card-cancellations Chris Walsh (Feb 10)