BreachExchange mailing list archives
Re: TJX breach shows that encryption can be foiled
From: "B.K. DeLong" <bkdelong () pobox com>
Date: Tue, 3 Apr 2007 13:46:43 -0400
I think Andy's got it covered but I'm confident the amount of data (including Track 2) they were retaining was above and beyond the PCI-DSS maximum; especially with such a failure cryptography-wise. On 4/3/07, Sean Steele <SSteele () infolocktech com> wrote:
I'm familiar with PCI-DSS standards for DAR encryption for cardholder information, but less sure of retention requirements. Does anyone know conclusively if TJX was simply retaining cardholder data per regulations? -Sean -----Original Message----- From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] On Behalf Of DAIL, ANDY Sent: Tuesday, April 03, 2007 9:49 AM To: dataloss () attrition org Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled I don't care if you're using 1024 bit encryption with an atomic booby-trap, there is no business reason to retain that much card data for such a long period after authorization. Especially magnetic track data!! In the final analysis, if the data were not being retained, the data could not be stolen. TJX is a perfect case-in-point of a retailer who is afraid to purge historical data, or does not spend the effort to triage the data to determine what is obsolete. Data Management policy anyone? -----Original Message----- From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] On Behalf Of Chris Walsh Sent: Monday, April 02, 2007 5:42 PM To: dataloss () attrition org Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled On Apr 2, 2007, at 2:44 PM, Casey, Troy # Atlanta wrote:It should make for a short list of suspects, assuming TJX was doing a reasonable job of key management...That (reasonable key management) is a critical assumption. I'd be interested in learning what algorithm (and implementation thereof) they were using, as well. Not holding my breath on that info :^) cw _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 203 million compromised records in 609 incidents over 7 years. This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments. _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 203 million compromised records in 609 incidents over 7 years. _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 203 million compromised records in 609 incidents over 7 years.
-- B.K. DeLong (K3GRN) bkdelong () pobox com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 203 million compromised records in 609 incidents over 7 years.
Current thread:
- TJX breach shows that encryption can be foiled lyger (Apr 01)
- Re: TJX breach shows that encryption can be foiled B.K. DeLong (Apr 02)
- Re: TJX breach shows that encryption can be foiled Casey, Troy # Atlanta (Apr 02)
- Re: TJX breach shows that encryption can be foiled Chris Walsh (Apr 02)
- Re: TJX breach shows that encryption can be foiled Adrian Sanabria (Apr 02)
- Re: TJX breach shows that encryption can be foiled Avery Sawaba (Apr 03)
- Re: TJX breach shows that encryption can be foiled DAIL, ANDY (Apr 03)
- Re: TJX breach shows that encryption can be foiled Sean Steele (Apr 03)
- Re: TJX breach shows that encryption can be foiled DAIL, ANDY (Apr 03)
- Re: TJX breach shows that encryption can be foiled B.K. DeLong (Apr 03)
- Re: TJX breach shows that encryption can be foiled James Childers (Apr 03)
- Re: TJX breach shows that encryption can be foiled Sean Steele (Apr 03)
- Re: TJX breach shows that encryption can be foiled Casey, Troy # Atlanta (Apr 02)
- Re: TJX breach shows that encryption can be foiled B.K. DeLong (Apr 02)
- <Possible follow-ups>
- Re: TJX breach shows that encryption can be foiled Dissent (Apr 03)
- Re: TJX breach shows that encryption can be foiled Chris Walsh (Apr 03)
- Re: TJX breach shows that encryption can be foiled Donald Aplin (Apr 03)
- Re: TJX breach shows that encryption can be foiled James Ritchie, CISA, QSA (Apr 03)
- Re: TJX breach shows that encryption can be foiled Katie Felten (Apr 03)
- Re: TJX breach shows that encryption can be foiled Dan Good (Apr 03)
- Re: TJX breach shows that encryption can be foiled B.K. DeLong (Apr 03)