BreachExchange mailing list archives
Re: TJX breach shows that encryption can be foiled
From: "DAIL, ANDY" <ADAIL () sunocoinc com>
Date: Tue, 3 Apr 2007 09:49:26 -0400
I don't care if you're using 1024 bit encryption with an atomic booby-trap, there is no business reason to retain that much card data for such a long period after authorization. Especially magnetic track data!! In the final analysis, if the data were not being retained, the data could not be stolen. TJX is a perfect case-in-point of a retailer who is afraid to purge historical data, or does not spend the effort to triage the data to determine what is obsolete. Data Management policy anyone? -----Original Message----- From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] On Behalf Of Chris Walsh Sent: Monday, April 02, 2007 5:42 PM To: dataloss () attrition org Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled On Apr 2, 2007, at 2:44 PM, Casey, Troy # Atlanta wrote:
It should make for a short list of suspects, assuming TJX was doing a reasonable job of key management...
That (reasonable key management) is a critical assumption. I'd be interested in learning what algorithm (and implementation thereof) they were using, as well. Not holding my breath on that info :^) cw _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 203 million compromised records in 609 incidents over 7 years. This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments. _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 203 million compromised records in 609 incidents over 7 years.
Current thread:
- TJX breach shows that encryption can be foiled lyger (Apr 01)
- Re: TJX breach shows that encryption can be foiled B.K. DeLong (Apr 02)
- Re: TJX breach shows that encryption can be foiled Casey, Troy # Atlanta (Apr 02)
- Re: TJX breach shows that encryption can be foiled Chris Walsh (Apr 02)
- Re: TJX breach shows that encryption can be foiled Adrian Sanabria (Apr 02)
- Re: TJX breach shows that encryption can be foiled Avery Sawaba (Apr 03)
- Re: TJX breach shows that encryption can be foiled DAIL, ANDY (Apr 03)
- Re: TJX breach shows that encryption can be foiled Sean Steele (Apr 03)
- Re: TJX breach shows that encryption can be foiled DAIL, ANDY (Apr 03)
- Re: TJX breach shows that encryption can be foiled B.K. DeLong (Apr 03)
- Re: TJX breach shows that encryption can be foiled James Childers (Apr 03)
- Re: TJX breach shows that encryption can be foiled Sean Steele (Apr 03)
- Re: TJX breach shows that encryption can be foiled Casey, Troy # Atlanta (Apr 02)
- Re: TJX breach shows that encryption can be foiled B.K. DeLong (Apr 02)
- <Possible follow-ups>
- Re: TJX breach shows that encryption can be foiled Dissent (Apr 03)
- Re: TJX breach shows that encryption can be foiled Chris Walsh (Apr 03)
- Re: TJX breach shows that encryption can be foiled Donald Aplin (Apr 03)
- Re: TJX breach shows that encryption can be foiled James Ritchie, CISA, QSA (Apr 03)
- Re: TJX breach shows that encryption can be foiled Katie Felten (Apr 03)