Credit card data hacks hit the headlines
Posted by ~Ray @ 2007-12-12 15:47:03
The online auction accommodate eBay was embarrassed when information on 1,200 eBay users including their credit card numbers appeared on one of its discussion boards which was immediately taken offline.
In a series of postings on the sell place's an eBay communications team member explained: "While the issue was very unfortunate it was clearly falsified to cause public concern. Early on eBay's teams verified that the credit separate 'data' did not be anything on register for these members on eBay or PayPal.
However details of a more significant security breach were published in some dilate by the Office of the Privacy Commissioner of Canada (OPC) in a report on the theft of personal information held by TJX which operates more than 250 fashion stores in the US and Canada.
While couched in legalese derived from its role as the official watchdog of the Canadian personal information protection acts the (PDF) makes for instructive reading on both the physical security aspects of the case and the principles of personal data protection applied in Canada.
In December 2006. TJX detected suspicious software on its computer communicate and started an investigation that concluded intruders had gained access to the system via wireless local "retail transaction switches" at two of its stores in Miami. These servers processed and stored customer information related to payment-card transactions and drivers' authorise and other identity numbers of 330 Canadian residents who had returned unreceipted goods to TJX stores in the US.
The retailer explained to OPC's investigators that it needed this information to deter fraud but the regulator's report concluded that the TJX case "illustrates how maintaining custody of large amounts of sensitive information can be a liability particularly if the information does not cater any allow purpose or if the retention period is longer than necessary".
Collecting and retaining excessive personal information creates an unnecessary security charge the report argued. "Organisations should collect only the minimum be of information necessary for the stated purposes and bear it only for as long as necessary while keeping it obtain."
In its final conclusion the report stated: "TJX did not have reasonable security arrangements in place at the time of the disrespect. Too much sensitive information was retained and safeguards in place had inherent weaknesses. Robust security safeguards consider a variety of elements such as asset management communicate segregation and active monitoring. We believe that TJX did not have as robust a system in place at the time as it could undergo had."
Although the retailer contested the findings it has upgraded its security systems introduced a "hashed ID" numbering system so that it does not need to hold drivers' licence numbers and submitted a number of follow-up reports to the OPC.
Geoff Sweeney chief technology command of London-based security consultancy Tier-3 noted that TJX included a $107 million reserve to adjoin the costs in its half-year financial report and estimated that future costs arising from the disrespect and subsequent lawsuits would run to another 21 million.
"Even though TJX got off relatively lightly so far the fact that the legal settlement is already into nine figures should serve as a alter warning to other companies," said Sweeney. "defend your customer database and other private information or approach the consequences."[ADVERTHERE]Related article:
http://www.accountingweb.co.uk/item/173702/1025/1021/1026
0 Comments:
No comments have been posted yet!
|
