BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Consumers of Hannaford Brothers Co. SupermarketsFile Class Action Suit

From: "Jamie C. Pole" <jpole () jcpa com>
Date: Wed, 19 Mar 2008 22:05:05 -0400

Agreed, but many of the 4.2 million compromised card numbers will be  
re-issued anyway.  Even if there was no fraudulent actvity associated  
with the account.  There is most definitely a cost associated with  
those re-issues, and I can promise that Hannaford (and any other party  
involved in the breach) will be made to bear much, if not all of that  
cost.

My original point was that this was not a simple case of some script  
kiddie (maybe Mitnick is having a relapse?) accidentally breaching a  
system with a poor security posture.  Most of those cases never result  
in financial fraud because the perpetrator either didn't realize what  
he/she accessed, or just wasn't looking for credit card numbers.

This case is different because there have already been cases of  
financial fraud with credit card numbers stolen from Hannaford.

And I FIRMLY believe that whatever organization signed off on  
Hannaford's PCI compliance bears part of the responsibility.

Jamie


On Mar 19, 2008, at 9:05 PM, Sasha Romanosky wrote:


Well, careful. If victims need to demonstrate actual financial loss,
fraudulent charges covered by the credit card company may not be  
considered.


That being said, let's look at what we know about choicepoint:
. Fined $10M by FTC for violating fair credit reporting act, and $5M  
trust
fund for consumer redress,
. $500k toward public education campaigns about identity theft
. Paid $500k for state legal fees
. $10M shareholder lawsuit
For a total of $26M (from around 160k records)

So the claim of 1800 reported cases of identity theft (which may or  
may not
have resulted in actual loss) may be the least of their worries.

cheers,
sasha

-----Original Message-----
From: dataloss-bounces () attrition org
[mailto:dataloss-bounces () attrition org] On Behalf Of Jamie C. Pole
Sent: Wednesday, March 19, 2008 8:41 PM
To: dataloss-bounces () attrition org; dataloss () attrition org
Subject: Re: [Dataloss] Consumers of Hannaford Brothers Co.
SupermarketsFile Class Action Suit


Let's also consider the possibility the Hannaford WAS using
the tool correctly, and that it just didn't work as advertised.

As far as the law firm being on the ball, trust me, they are.
I know this firm well, and they will absolutely include
Rapid7 in their discovery process.  If I was senior
management at Rapid7, I would NOT be sleeping well right now.

The kiss of death in this case is going to be the fact that
there have been around 1800 reported cases of fraud stemming
from the incident.  This was not an accident.

Jamie

-----Original Message-----
From: dataloss-bounces () attrition org
[mailto:dataloss-bounces () attrition org]
On Behalf Of Mike Simon
Sent: Wednesday, March 19, 2008 6:47 PM
To: lyger; dataloss-bounces () attrition org; dataloss () attrition org
Subject: Re: [Dataloss] Consumers of Hannaford Brothers Co.
Supermarkets FileClass Action Suit

This could not be a better example of why companies hesitate
to disclose details. If this lawfirm is on the ball. They
will get access to the exchange with Rapid7 which, according
to the press release changes, indicates potential additional
negligence in that the had a tool that may have prevented
this problem and failed to use it properly. Not a helpful
disclosure for Hannaford with respect to the class action.

Mike


_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance
monitoring solutions for large and small networks. Scan your
network and monitor your traffic to find the data needing
protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml



_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor  
your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml



_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml
Previous By Date Next
Previous By Thread Next

Current thread: