BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Re: TJX breach shows that encryption can be foiled

From: "B.K. DeLong" <bkdelong () pobox com>
Date: Tue, 3 Apr 2007 13:46:43 -0400
I think Andy's got it covered but I'm confident the amount of data
(including Track 2) they were retaining was above and beyond the
PCI-DSS maximum; especially with such a failure cryptography-wise.

On 4/3/07, Sean Steele <SSteele () infolocktech com> wrote:

I'm familiar with PCI-DSS standards for DAR encryption for cardholder
information, but less sure of retention requirements.

Does anyone know conclusively if TJX was simply retaining cardholder
data per regulations?

-Sean

-----Original Message-----
From: dataloss-bounces () attrition org
[mailto:dataloss-bounces () attrition org] On Behalf Of DAIL, ANDY
Sent: Tuesday, April 03, 2007 9:49 AM
To: dataloss () attrition org
Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled



I don't care if you're using 1024 bit encryption with an atomic
booby-trap, there is no business reason to retain that much card data
for such a long period after authorization. Especially magnetic track
data!!

In the final analysis, if the data were not being retained, the data
could not be stolen.

TJX is a perfect case-in-point of a retailer who is afraid to purge
historical data, or does not spend the effort to triage the data to
determine what is obsolete.  Data Management policy anyone?



-----Original Message-----
From: dataloss-bounces () attrition org
[mailto:dataloss-bounces () attrition org] On Behalf Of Chris Walsh
Sent: Monday, April 02, 2007 5:42 PM
To: dataloss () attrition org
Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled



On Apr 2, 2007, at 2:44 PM, Casey, Troy # Atlanta wrote:


It should make for a short list of suspects, assuming TJX was doing a
reasonable job of key management...


That (reasonable key management) is a critical assumption.

I'd be interested in learning what algorithm (and implementation
thereof) they were using, as well.

Not holding my breath on that info :^)

cw
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss Tracking more than 203 million compromised
records in 609 incidents over 7 years.

This message and any files transmitted with it is intended solely for
the designated recipient and may contain privileged, proprietary or
otherwise private information. Unauthorized use, copying or distribution
of this e-mail, in whole or in part, is strictly prohibited. If you have
received it in error, please notify the sender immediately and delete
the original and any attachments.
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 203 million compromised records in 609 incidents over
7 years.
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 203 million compromised records in 609 incidents over 7 years.




-- 
B.K. DeLong (K3GRN)
bkdelong () pobox com
+1.617.797.8471

http://www.wkdelong.org                    Son.
http://www.ianetsec.com                    Work.
http://www.bostonredcross.org             Volunteer.
http://www.carolingia.eastkingdom.org   Service.
http://bkdelong.livejournal.com             Play.


PGP Fingerprint:
38D4 D4D4 5819 8667 DFD5  A62D AF61 15FF 297D 67FE

FOAF:
http://foaf.brain-stream.org
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 203 million compromised records in 609 incidents over 7 years.
Previous By Date Next
Previous By Thread Next

Current thread: