BreachExchange mailing list archives

Re: TJX breach shows that encryption can be foiled

From: "B.K. DeLong" <bkdelong () pobox com>
Date: Mon, 2 Apr 2007 15:33:22 -0400

If that isn't a loaded statement. So TJX is claiming all their credit
card data is always encrypted at-rest? How many people would have
access to such a "decryption tool". This sounds fishy.

On 4/1/07, lyger <lyger () attrition org> wrote:


http://www.boston.com/business/globe/articles/2007/03/31/tjx_breach_shows_that_encryption_can_be_foiled/

Encryption alone is no panacea for threats to consumer data, according to
specialists who say the technology's limit can be seen in the problems
reported by TJX Cos. of Framingham.

The notion of using complex math formulas to scramble electronic
information is gaining steam as a way to protect individuals' privacy, an
area of growing concern for retailers and banks as data thefts become more
brazen.

But recent details to emerge on how hackers accessed the parent of stores
including T.J. Maxx and Marshalls show how encryption can be defeated by
clever thieves -- and suggest the breach may have been an inside job.

A securities filing by TJX on Wednesday disclosed that the incident may
have compromised more than 45 million credit and debit card numbers, the
most in any single incident. In the filing, TJX also stated that "we
believe that the intruder had access to the decryption tool for the
encryption software utilized by TJX."

[...]
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 203 million compromised records in 609 incidents over 7 years.



-- 
B.K. DeLong (K3GRN)
bkdelong () pobox com
+1.617.797.8471

http://www.wkdelong.org                    Son.
http://www.ianetsec.com                    Work.
http://www.bostonredcross.org             Volunteer.
http://www.carolingia.eastkingdom.org   Service.
http://bkdelong.livejournal.com             Play.


PGP Fingerprint:
38D4 D4D4 5819 8667 DFD5  A62D AF61 15FF 297D 67FE

FOAF:
http://foaf.brain-stream.org
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 203 million compromised records in 609 incidents over 7 years.

Current thread:

TJX breach shows that encryption can be foiled lyger (Apr 01)
- Re: TJX breach shows that encryption can be foiled B.K. DeLong (Apr 02)
  - Re: TJX breach shows that encryption can be foiled Casey, Troy # Atlanta (Apr 02)
    - Re: TJX breach shows that encryption can be foiled Chris Walsh (Apr 02)
    - Re: TJX breach shows that encryption can be foiled Adrian Sanabria (Apr 02)
    - Re: TJX breach shows that encryption can be foiled Avery Sawaba (Apr 03)
    - Re: TJX breach shows that encryption can be foiled DAIL, ANDY (Apr 03)
    - Re: TJX breach shows that encryption can be foiled Sean Steele (Apr 03)
    - Re: TJX breach shows that encryption can be foiled DAIL, ANDY (Apr 03)
    - Re: TJX breach shows that encryption can be foiled B.K. DeLong (Apr 03)
    - Re: TJX breach shows that encryption can be foiled James Childers (Apr 03)
    - Re: TJX breach shows that encryption can be foiled Sean Steele (Apr 03)

(Thread continues...)