![dataloss logo](/images/dataloss-logo.png)
BreachExchange mailing list archives
Re: Consumers of Hannaford Brothers Co. Supermarkets File Class Action Suit
From: "Edward White" <ewhite () avrenter com>
Date: Thu, 20 Mar 2008 15:22:29 -0400
There ought to be a law that retailers are not allowed to strip the personal data from debit and credit cards when they pass through their systems to the credit card companies. If a customer voluteers there mailing information, that is one thing, but there is a whole market behind the scenes in the retail industry where by personal information of their clients is bought and sold. This is done supposedly so the retailers can better address their target markets. If the retailers did not have the info, there would be no data to breach. This is the first measure to protect consumers, there many others, I do not have the time to go into it right now. -----Original Message----- From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] On Behalf Of Mike Simon Sent: Thursday, March 20, 2008 2:25 PM To: Rodney Cc: dataloss () attrition org Subject: Re: [Dataloss] Consumers of Hannaford Brothers Co. SupermarketsFile Class Action Suit I've been quiet on the topic of certification, compliance and fault based on these ideas so far, but I'm hearing some pretty strong statements that I have problems with. The idea that a certification or endorsement of compliance to a standard of protection should make the certifying body responsible if data in subsequently lost seems a bit harsh considering that the certifying agency had no control of the operation of the compromised systems after they did their testing. Essentially certification/compliance typically shows that at a specific point in time the system met certain conditions - nothing more. If the testing was never done, or it was done and the results falsified that's one thing. Holding the auditors responsible for all system behavior after that point in time is hard to fathom. For me, that points to an increased need to audit IT practices in some kind of continuous improvement loop (CMM level 5) rather than trying to hang auditors out to dry every time someone mis configures their firewall a few weeks after the last audit. To answer your question, I would hold Visa responsible if they had anything to do with falsely certifying conditions at Hannaford to be safe, but not for putting in place a mechanism designed to improve the overall stance of their partners and not somehow making it perfect. On Thu, Mar 20, 2008 at 6:17 AM, Rodney <rwise29210 () gmail com> wrote:
Wouldn't you include Visa in the discovery if they certified Rapid7?
I use
PayPal as my gateway and if anything ever happened I would sing names
like
canary. Rodney Wise South East Ostrich Supply http://www.seostrich.com On Wed, 2008-03-19 at 17:58 -0700, Mike Simon wrote: I think you're right in also considering that the product was used correctly and just not up to the task, which raises an interesting but possibly off-topic question in my mind. If Rapid7 falsely attributes the incident to mis-use of their product in a public forum (the press release), essentially increasing the potential liability of Hannaford, it seems like Hannaford might have a cause of action against Rapid7. The cause of action is unrelated to the performance of their product, which I'm sure is well protected by the license agreement, but instead related to (potentially) false and (potentially) damaging statements about Hannaford's security practices. It seems to me that the statement in the revised press release has no real upside for Rapid7 true _or_ false. As someone stated earlier in this thread, they should have withdrawn the press release from their web site and taken their lumps. I'm certainly not a lawyer, and have NO knowledge of the incident, truthfulness of the subsequent Rapid7 disclaimers or really anything at all. This is intended as a discussion of hypothetical outcomes. Mike On Wed, Mar 19, 2008 at 5:40 PM, Jamie C. Pole <jpole () jcpa com> wrote:Let's also consider the possibility the Hannaford WAS using the tool correctly, and that it just didn't work as advertised. As far as the law firm being on the ball, trust me, they are. I know
this
firm well, and they will absolutely include Rapid7 in their
discovery
process. If I was senior management at Rapid7, I would NOT be
sleeping
wellright now. The kiss of death in this case is going to be the fact that there
have
beenaround 1800 reported cases of fraud stemming from the incident. This
was
not an accident. Jamie -----Original Message----- From: dataloss-bounces () attrition org[mailto:dataloss-bounces () attrition org]On Behalf Of Mike Simon Sent: Wednesday, March 19, 2008 6:47 PM To: lyger; dataloss-bounces () attrition org; dataloss () attrition org Subject: Re: [Dataloss] Consumers of Hannaford Brothers Co.
Supermarkets
FileClass Action Suit This could not be a better example of why companies hesitate to
disclose
details. If this lawfirm is on the ball. They will get access to the exchange with Rapid7 which, according to the press release changes, indicates potential additional negligence in that the had a tool
that may
have prevented this problem and failed to use it properly. Not a
helpful
disclosure for Hannaford with respect to the class action. Mike_______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor
your
traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml Rodney Wise South East Ostrich Supply http://www.seostrich.com (803) 741-5636
_______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
Current thread:
- Consumers of Hannaford Brothers Co. Supermarkets File Class Action Suit lyger (Mar 19)
- Re: Consumers of Hannaford Brothers Co. Supermarkets FileClass Action Suit Mike Simon (Mar 19)
- Re: Consumers of Hannaford Brothers Co. Supermarkets File Class Action Suit Jamie C. Pole (Mar 19)
- Re: Consumers of Hannaford Brothers Co. Supermarkets File Class Action Suit Mike Simon (Mar 19)
- Message not available
- Re: Consumers of Hannaford Brothers Co. Supermarkets File Class Action Suit Mike Simon (Mar 20)
- Re: Consumers of Hannaford Brothers Co. Supermarkets File Class Action Suit Edward White (Mar 20)
- Re: Consumers of Hannaford Brothers Co. SupermarketsFile Class Action Suit DAIL, WILLARD A (Mar 20)
- Re: Consumers of Hannaford Brothers Co. Supermarkets File Class Action Suit Jamie C. Pole (Mar 19)
- Re: Consumers of Hannaford Brothers Co. Supermarkets FileClass Action Suit Mike Simon (Mar 19)
- Re: Consumers of Hannaford Brothers Co. Supermarkets File Class Action Suit Rodney (Mar 20)
- Re: Consumers of Hannaford Brothers Co. SupermarketsFile Class Action Suit Sasha Romanosky (Mar 19)