Comments: Pogo reports: big(gest) bank breach was covered up?

Bruce Spitzer, a spokesman for the Massachusetts Bankers Association, criticized the delay in public notification of the source of the breach.

"Visa and MasterCard have stipulated in their contracts with retailers that they will not divulge who the source is when a data breach occurs," Spitzer said. "We've been engaged in a dialogue for a couple years now about changing this rule.... Without knowing who the retailer is that caused the breach, it's hard for banks to conduct a good investigation on behalf of their consumers. And it's a problem for consumers as well, because if they know which retailer is responsible, they can rule themselves out for being at risk if they don't shop at that retailer."

Posted by Secret Security! at March 26, 2008 07:11 AM

re:
http://www.garlic.com/~lynn/aadsm28.htm#50 Liability for breaches: do we need new laws?
http://www.garlic.com/~lynn/aadsm28.htm#51 Liability for breaches: do we need new laws?
http://www.garlic.com/~lynn/2008f.html#88 Has Banking Industry Overlooked Its Biggest Breach Ever?

...

Programmer who stole drive containing one million bank records gets 42 months; Only 250 customers notified of massive breach
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9072198

from above:

The Compass Bank compromise is one of the largest bank-related breaches yet revealed, in terms of the number of customer records that were potentially exposed. The incident, however, appears to have surfaced for the first time only after the Birmingham News carried a story on the sentencing last week.

... snip ...

Posted by Lynn Wheeler at March 26, 2008 08:05 PM

If hard police work determines that the data was obtained, but not leaked beyond the gang, why would customer notification help? Presumably, their risk is not changed by that kind of breach.

Posted by Florian Weimer at April 4, 2008 03:54 PM

re:
http://www.garlic.com/~lynn/aadsm28.htm#52 Pogo reports: big(gest) bank breach was covered up?

Insider Gets 42 Months for Stealing 1m Customer Records
http://www.infowatch.com/threats?chapter=148831545&id=207784793

from above:

According to court documents, Real stole Compass' database information in May 2007. The database included customer names, account numbers and passwords. He then used the information from the database to make counterfeit debit cards using a magnetic strip encoder and software purchased by Byrd. Between June and July 2007, the pair proceeded to use the counterfeit cards to access Compass customer accounts and withdraw funds from them, typically in amounts not exceeding $500 or so. The documents show that Real would wear disguises when making the ATM withdrawals -- in fact he was apprehended while wearing one.

... snip ...

Frequently breaches are discovered long before attackers are apprehended and all possible fraudulent activity has been identified.

In the past, breaches were kept quiet and any fraudulent activity was frequently treated as random activity. Breach notification allowed potential victims to take countermeasures (like closing account or freezing credit bureau records). There also is the possibility, publicity would help motivate preventive measures (crooks being prosecuted for fraudulent account activity but possibly never linked to breaches).

some what related post
http://www.garlic.com/~lynn/2008g.html#28 Hannaford case exposes holes in law, some say

The Identity Theft Resource Center Reports That Data Breaches More Than Doubled in 2008 First Quarter
http://www.foxbusiness.com/article/identity-theft-resource-center-reports-data-breaches-doubled-2008-quarter_544967_1.html
Data Breaches More Than Doubled in 2008 First Quarter
http://www.paymentsnews.com/2008/04/data-breaches-m.html
8.3 Million Records Spilled in Data Breaches This Year
http://blog.washingtonpost.com/securityfix/2008/04/83_million_records_spilled_in.html?nav=rss_blog
Data breaches more common
http://blog.seattlepi.nwsource.com/consumersmarts/archives/135617.asp
Grocery Data Breach Offers Important Endpoint Lessons
http://www.bmighty.com/blog/main/archives/2008/04/grocery_data_br.html

Posted by Lynn Wheeler at April 4, 2008 06:03 PM
Post a comment









Remember personal info?






Hit Preview to see your comment.
MT::App::Comments=HASH(0x5637b4e70d38) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/Object.pm line 125.