BreachExchange mailing list archives
Re: Consumers of Hannaford Brothers Co. SupermarketsFile Class Action Suit
From: "DAIL, WILLARD A" <ADAIL () sunocoinc com>
Date: Thu, 20 Mar 2008 16:50:56 -0400
Wait, are you saying the personal information should be stored with the transaction information? The card brands and issuers basically require the merchant to store the PAN for a period after the sale in order to investigate chargebacks. Most companies strip away any personally identifiable information and store the PAN along with the sale information in order to reduce the amount of data being store. Certainly we wouldn't want to increase the data merchants are required to store? In most cases, when you hear of a company storing too much information, it wasn't because they were actually doing anything with it, it's because their payment systems are so old the original currency accepted was "wampum" shells, and the merchant is too cheap or uninformed to make any changes. A few merchants do mine data , but most only store the credit card information because the issuers will make them "eat" a chargeback if they do not have the sales record. Merchants could agree to accept that charge and store nothing, but the prices of goods will simply increase to cover the reduced margins. Alternatively, the issuers could implement chargeback procedures that didn't require the merchants store data the settlement providers don't want to store. -----Original Message----- From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] On Behalf Of Edward White Sent: Thursday, March 20, 2008 2:22 PM To: Mike Simon Cc: dataloss () attrition org Subject: Re: [Dataloss] Consumers of Hannaford Brothers Co. SupermarketsFile Class Action Suit There ought to be a law that retailers are not allowed to strip the personal data from debit and credit cards when they pass through their systems to the credit card companies. If a customer voluteers there mailing information, that is one thing, but there is a whole market behind the scenes in the retail industry where by personal information of their clients is bought and sold. This is done supposedly so the retailers can better address their target markets. If the retailers did not have the info, there would be no data to breach. This is the first measure to protect consumers, there many others, I do not have the time to go into it right now. -----Original Message----- From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] On Behalf Of Mike Simon Sent: Thursday, March 20, 2008 2:25 PM To: Rodney Cc: dataloss () attrition org Subject: Re: [Dataloss] Consumers of Hannaford Brothers Co. SupermarketsFile Class Action Suit I've been quiet on the topic of certification, compliance and fault based on these ideas so far, but I'm hearing some pretty strong statements that I have problems with. The idea that a certification or endorsement of compliance to a standard of protection should make the certifying body responsible if data in subsequently lost seems a bit harsh considering that the certifying agency had no control of the operation of the compromised systems after they did their testing. Essentially certification/compliance typically shows that at a specific point in time the system met certain conditions - nothing more. If the testing was never done, or it was done and the results falsified that's one thing. Holding the auditors responsible for all system behavior after that point in time is hard to fathom. For me, that points to an increased need to audit IT practices in some kind of continuous improvement loop (CMM level 5) rather than trying to hang auditors out to dry every time someone mis configures their firewall a few weeks after the last audit. To answer your question, I would hold Visa responsible if they had anything to do with falsely certifying conditions at Hannaford to be safe, but not for putting in place a mechanism designed to improve the overall stance of their partners and not somehow making it perfect. On Thu, Mar 20, 2008 at 6:17 AM, Rodney <rwise29210 () gmail com> wrote:
Wouldn't you include Visa in the discovery if they certified Rapid7?
I use
PayPal as my gateway and if anything ever happened I would sing names
like
canary. Rodney Wise South East Ostrich Supply http://www.seostrich.com On Wed, 2008-03-19 at 17:58 -0700, Mike Simon wrote: I think you're right in also considering that the product was used correctly and just not up to the task, which raises an interesting but
possibly off-topic question in my mind. If Rapid7 falsely attributes the incident to mis-use of their product in a public forum (the press release), essentially increasing the potential liability of Hannaford,
it seems like Hannaford might have a cause of action against Rapid7. The cause of action is unrelated to the performance of their product, which I'm sure is well protected by the license agreement, but instead
related to (potentially) false and (potentially) damaging statements about Hannaford's security practices. It seems to me that the statement in the revised press release has no real upside for Rapid7 true _or_ false. As someone stated earlier in this thread, they should have withdrawn the press release from their web site and taken their lumps. I'm certainly not a lawyer, and have NO knowledge of the incident, truthfulness of the subsequent Rapid7 disclaimers or really anything at all. This is intended as a discussion of hypothetical outcomes. Mike On Wed, Mar 19, 2008 at 5:40 PM, Jamie C. Pole <jpole () jcpa com> wrote:Let's also consider the possibility the Hannaford WAS using the tool
correctly, and that it just didn't work as advertised. As far as the law firm being on the ball, trust me, they are. I know
this
firm well, and they will absolutely include Rapid7 in their
discovery
process. If I was senior management at Rapid7, I would NOT be
sleeping
wellright now. The kiss of death in this case is going to be the fact that there
have
beenaround 1800 reported cases of fraud stemming from the incident. This
was
not an accident. Jamie -----Original Message----- From: dataloss-bounces () attrition org[mailto:dataloss-bounces () attrition org]On Behalf Of Mike Simon Sent: Wednesday, March 19, 2008 6:47 PM To: lyger; dataloss-bounces () attrition org; dataloss () attrition org Subject: Re: [Dataloss] Consumers of Hannaford Brothers Co.
Supermarkets
FileClass Action Suit This could not be a better example of why companies hesitate to
disclose
details. If this lawfirm is on the ball. They will get access to the
exchange with Rapid7 which, according to the press release changes, indicates potential additional negligence in that the had a tool
that may
have prevented this problem and failed to use it properly. Not a
helpful
disclosure for Hannaford with respect to the class action. Mike_______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your
traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml Rodney Wise South East Ostrich Supply http://www.seostrich.com (803) 741-5636
_______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments. _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
Current thread:
- Consumers of Hannaford Brothers Co. Supermarkets File Class Action Suit lyger (Mar 19)
- Re: Consumers of Hannaford Brothers Co. Supermarkets FileClass Action Suit Mike Simon (Mar 19)
- Re: Consumers of Hannaford Brothers Co. Supermarkets File Class Action Suit Jamie C. Pole (Mar 19)
- Re: Consumers of Hannaford Brothers Co. Supermarkets File Class Action Suit Mike Simon (Mar 19)
- Message not available
- Re: Consumers of Hannaford Brothers Co. Supermarkets File Class Action Suit Mike Simon (Mar 20)
- Re: Consumers of Hannaford Brothers Co. Supermarkets File Class Action Suit Edward White (Mar 20)
- Re: Consumers of Hannaford Brothers Co. SupermarketsFile Class Action Suit DAIL, WILLARD A (Mar 20)
- Re: Consumers of Hannaford Brothers Co. Supermarkets File Class Action Suit Jamie C. Pole (Mar 19)
- Re: Consumers of Hannaford Brothers Co. Supermarkets FileClass Action Suit Mike Simon (Mar 19)
- Re: Consumers of Hannaford Brothers Co. Supermarkets File Class Action Suit Rodney (Mar 20)
- Re: Consumers of Hannaford Brothers Co. SupermarketsFile Class Action Suit Sasha Romanosky (Mar 19)