BreachExchange mailing list archives
Questions for Wal-mart re: PCI compliance
From: security curmudgeon <jericho () attrition org>
Date: Fri, 15 May 2009 00:53:14 +0000 (UTC)
Last month, Dave w/ DatalossDB.org commented [1] that the Primary Sources project uncovered a dataloss incident at Wal-mart [2]. A few things to note: - Information taken consisted of 48,000 associates residing in Illinois - Breach happened in mid 2007 - Breach was not specific to Illinois DatalossDB / OSF have sent out numerous FOIA requests to states that have mandatory disclosure laws. The results of those requests had no mention of Wal-mart. It's been almost two years since the incident happened, and there has been no media coverage of the incident. This coincides with Wal-mart joining the PCI Advisory board [3] which has a certain bit of irony. "Wal-Mart takes very seriously the protection of customer data and we are honored to have a position on the Advisory Board, Michael A. Coo, vice president and assistant treasurer [of Wal-mart], said in a statement. PCI is not a one-time project or issue. The industry`s efforts to maintain the safety of cardholders` data will continue to be an ongoing challenge. We appreciate the confidence placed in us and we will strive to be a responsible, contributing member of the board. This brings many questions to mind. Would Wal-Mart or Michael Coo like to answer? - Why isn't the media covering it? - Why did Wal-mart disclose to Illinois, and not others? - Was Wal-mart PCI certified during this time? - Did Wal-mart accept the position knowing about their own breach? Last, we have heard rumors from two sources now that the breach mentioned above was the *second* to occur at Wal-mart. The first known incident was due to an employee/insider taking information. Rumors regarding the second breach say it was a long term, systematic external intrusion into the Wal-mart network. Does anyone have information on the rumored second event? Corroboration of the information we have learned would be interesting to say the least. - security curmudgeon [1] http://datalossdb.org/incident_highlights/26-walmart-primary-sources-left-field [2] http://www.walmart.com/ [3] http://www.internetretailer.com/internet/marketing-conference/718429886-wal-mart-takes-spot-advisory-board-pci-data-security-standard.html _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Get business, compliance, IT and security staff on the same page with CREDANT Technologies: The Shortcut Guide to Understanding Data Protection from Four Critical Perspectives. The eBook begins with considerations important to executives and business leaders. http://www.credant.com/campaigns/ebook-chpt-one-web.php
Current thread:
- Questions for Wal-mart re: PCI compliance security curmudgeon (May 14)