Re: TJX breach shows that encryption can be foiled

[Dissent <Dissent () pogowasright org>]

Forwarded for snippage purposes.

Return-Path: <james_ritchie () sbcglobal net>
Message-ID: <4612A466.1070707 () sbcglobal net>
Date: Tue, 03 Apr 2007 15:00:54 -0400

So was my wife.  If history can tell parts of the future, I think 
that the next item will be a suit from the FTC for unfair business 
practice which will end up with 10 m fine, 5 m relief, and every 
other year an audit from a security specialist, for 20 years. That is 
what Cardservices and Choicepoint settled with the FTC last year. 
BTW, FTC has adopted GLBA as the standard to protect Business to 
consumer relationships.

Sean Steele wrote:

> James,
>
> You pose some interesting questions re: what other regulations TJX is
> likely non-compliant with -- as a public company, I'd guess their SOX
> 404 controls should be examined. GLBA may come into play, though they're
> not a finsrv company.
>
> Who is their PCI-DSS auditor and are the results of their most recent
> audit either able to be requested or legally discoverable outside a
> lawsuit?
>
> The PCI Security Standards Council is a private, non-profit
> organization, so FOIA can't be used to force disclosure from them,
> correct?
>
> FWIW, I was a victim of this breach. I had my debit card re-issued by my
> bank this week. It's the first one of 2007 for me ;-(
>
> --
> Sean Steele, CISSP
> infoLock Technologies
> 703.310.6478  direct
> 202.270.8672  mobile
> ssteele () infolocktech com

_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 203 million compromised records in 609 incidents over 7 years.