Government Stops Shielding Corporate Breach 'Victims'

[security curmudgeon <jericho () attrition org>]

http://www.wired.com/threatlevel/2010/03/sunshine/

Government Stops Shielding Corporate Breach .Victims.
By Kevin Poulsen and Kim Zetter
March 30, 2010  | 1:17 pm

For the past few months, national retailer J.C. Penney has been fighting 
an under-seal court battle to keep you from knowing that its payment card 
network was breached by U.S. and Eastern European hackers.

The intrusions, by TJX hacker Albert Gonzalez and his overseas 
accomplices, occurred beginning in October 2007. J.C. Penney admits it was 
.wholly unaware. of the breach until the Secret Service told the company 
about it in May 2008, but now says with certitude that no identity or 
bank-card data was stolen in the breach it failed to detect. That.s why 
the company didn.t want to be identified to the public, says spokeswoman 
Darcie Brossart

.Because there was no reason to think that the hackers were successful, 
there was no need to alarm J.C. Penney customers,. says Brossart, .We 
believed we had a legitimate interest in not being linked to criminal 
activity that resulted in major thefts from other companies..

So in court filings, J.C. Penney argued that it was entitled to anonymity 
under the 2004 Crime Victims. Rights Act, a law intended to protect the 
.dignity and privacy. of victims. A federal judge on Friday ordered the 
company.s identity unsealed anyway, as well as that of a second breached 
company, clothing retailer Wet Seal.

[..]

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php