BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Questions for Wal-mart re: PCI compliance

From: security curmudgeon <jericho () attrition org>
Date: Fri, 15 May 2009 00:53:14 +0000 (UTC)


Last month, Dave w/ DatalossDB.org commented [1] that the Primary Sources 
project uncovered a dataloss incident at Wal-mart [2]. A few things to 
note:

- Information taken consisted of 48,000 associates residing in Illinois
- Breach happened in mid 2007
- Breach was not specific to Illinois

DatalossDB / OSF have sent out numerous FOIA requests to states that have 
mandatory disclosure laws. The results of those requests had no mention of 
Wal-mart. It's been almost two years since the incident happened, and 
there has been no media coverage of the incident. This coincides with 
Wal-mart joining the PCI Advisory board [3] which has a certain bit of 
irony.

    "Wal-Mart takes very seriously the protection of customer data and we
    are honored to have a position on the Advisory Board, Michael A. Coo,
    vice president and assistant treasurer [of Wal-mart], said in a
    statement. PCI is not a one-time project or issue. The industry`s
    efforts to maintain the safety of cardholders` data will continue to be
    an ongoing challenge. We appreciate the confidence placed in us and we
    will strive to be a responsible, contributing member of the board.

This brings many questions to mind. Would Wal-Mart or Michael Coo like to 
answer?

- Why isn't the media covering it?
- Why did Wal-mart disclose to Illinois, and not others?
- Was Wal-mart PCI certified during this time?
- Did Wal-mart accept the position knowing about their own breach?

Last, we have heard rumors from two sources now that the breach mentioned 
above was the *second* to occur at Wal-mart. The first known incident was 
due to an employee/insider taking information. Rumors regarding the second 
breach say it was a long term, systematic external intrusion into the 
Wal-mart network. Does anyone have information on the rumored second 
event? Corroboration of the information we have learned would be 
interesting to say the least.


- security curmudgeon


[1] http://datalossdb.org/incident_highlights/26-walmart-primary-sources-left-field
[2] http://www.walmart.com/
[3] 
http://www.internetretailer.com/internet/marketing-conference/718429886-wal-mart-takes-spot-advisory-board-pci-data-security-standard.html
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php
Previous By Date Next
Previous By Thread Next

Current thread: