Yawn.....Another multi-million dollar data breach

[classicman]

My card was not replaced. I was not notified of any breach or possible breach. Additionally, when I called there was no admission by them either.

[tw]

Quote:

Originally Posted by classicman

My card was not replaced. I was not notified of any breach or possible breach. Additionally, when I called there was no admission by them either.

I don't see the necessary statement, "The security of my card was breeched". Without that fact, the entire post is meaningless. How do you know a security breech of your card even existed?

[xoxoxoBruce]

Quote:

Originally Posted by xoxoxoBruce

Mine hasn't been replaced.

Quote:

Originally Posted by tw

I don't see the necessary statement, "The security of my card was breeched". Without that fact, the entire post is meaningless. How do you know a security breech of your card even existed?

So I suppose mine is meaningless also? And Wolf's was meaning less because she was only speculating hers was replaced because of the security breech?

[mbpark]

Bruce,

I think both, with an emphasis on lazy IT people, because systems like this are very hard to set up, and are why InfoSec people make a lot of money.

You just don't cut the budgets for this unless you're very stupid. It makes no sense.

Then again, knowing some of the middle managers I deal with in IT, nothing they do makes sense to anyone but themselves.

Mitch

Quote:

Originally Posted by xoxoxoBruce

Mitch, do you have a feeling for whether this Heartland fuck up was lazy IT people, or management cutting IT to the bone for the bottom line?

[richlevy]

Quote:

Originally Posted by mbpark

Then again, knowing some of the middle managers I deal with in IT, nothing they do makes sense to anyone but themselves.

The funny thing is that this is 2 years after the TJX computer intrusion, which cost that company 256 million dollars!! So with all of that history, and considering that, unlike TJX, their entire company is built around computer data, one would think that they would be hyper-secure.

Well, it appears that there is significant progress in the Heartland case. The company has created a website to inform the public. Note the use of the word unencrypted. They are not saying that PIN numbers weren't taken, just that if they were they were encrypted.

I am so glad that California and then Congress passed a law requiring notification in cases like this. Does anyone want to bet on whether TJX and Heartland would have announced the breach if they weren't forced to by law?

Quote:

No confidential merchant data, Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were retrieved in what is believed to be a global cyber-fraud operation. Heartland does not yet know how many card numbers were obtained. Many reports in the press are speculative.

Consumers will know if their card account numbers have been used by reviewing their monthly statements. Cardholders should report suspicious activity to their issuing banks (the bank that issued the card, not the card brand). If unauthorized use is confirmed, cardholders are reimbursed for the fraudulent purchases and are not held financially responsible.

[mbpark]

They didn't say what method was used to encrypt the data. ROT-13 doesn't count .

Then again, PIN numbers are encrypted at the keypad level these days, at least that is good for ATM cards. Credit cards are a whole other deal. That provides these people little comfort. What other data do they have?

TJX and Heartland would have said nothing unless they had to legally. You and I know that some middle management type looking to save a buck and make himself look good by either screwing other people, his subordinates, consultants, or even his bosses was probably the genesis.

And you know that in many places in Corporate America, such behavior would be rewarded positively for innovation. Other places would find such a manager mysteriously "resigning" and ending up at another place, or quietly "out of the industry". Dilbert is a documentary in this regard.

Like I said, I deal with middle management a lot. Never before have I seen people so willing to screw each other blind and bitch over petty little things instead of working to get things done. I thought things were bad when I spent most of my time working on the tech side of the house instead of management.

I've seen enough of this to believe that petty infighting and the blame game had a significant contribution to this unfortunate incident. Now a company is probably going to go under because some middle manager in charge of network security had a grudge with the DBAs.

[tw]

Quote:

Originally Posted by xoxoxoBruce

And Wolf's was meaning less because she was only speculating hers was replaced because of the security breech?

Classicman said his card was not replaced. Completely different from wolf whose card was replaced.

Wolf said a card was replaced due to a security breech. classicman suggested his card was not replaced due to no security breech. classicman is invited correct his post to make it relevant. For example, he could add the missing sentence "My card security was breeched". Obviously his post is currently ambiguous.

[tw]

Quote:

Originally Posted by mbpark

I've seen enough of this to believe that petty infighting and the blame game had a significant contribution to this unfortunate incident. Now a company is probably going to go under because some middle manager in charge of network security had a grudge with the DBAs.

Sometimes, infighting was observed as a symptom of management that did not know how the work got done. Had no idea what employees were doing; no clue as to how to provide the necessary attitude and knowledge; did not even know employees were not doing security.

Not only could the boss not provide necessary management support. But his technical ignorance also made cooperation impossible. If he cooperated, then others might realize how little he really knew about what his employees did and could do.

Well, the reporter can only ask the president and company spokesperson why failures happened. Obviously the reporter cannot get an answer. If they knew, then the problem would not have existed in the first place. So we are left to only speculate or await the employee blogs.

[xoxoxoBruce]

No, Wolf said her card was replace and she SUSPECTED is was because of the publicized security breach, but they wouldn't confirm it.

I said my card was not replaced after the publicized security breach.

Classic said his card was not replaced and although they wouldn't confirm whether his card was breached or not, he was assuming it wasn't because it was not replaced.

If you didn't tail post you would have know that.

[tw]

Quote:

Originally Posted by xoxoxoBruce

Classic said his card was not replaced and although they wouldn't confirm whether his card was breached or not,

Which is exactly what I posted. So your complaint is what? That you did not comprehend what was posted? Or that you now admit classicman's post as ambiguous?

[xoxoxoBruce]

Oh stop it. None of the posts were ambiguous, you're just stirring shit.

[wolf]

Quote:

Originally Posted by xoxoxoBruce

No, Wolf said her card was replace and she SUSPECTED is was because of the publicized security breach, but they wouldn't confirm it.

To clarify ...

My card was replaced after the 12/06 TJ Maxx breach. Citibank admitted that it was because of TJ Maxx that they were replacing the cards. Funny thing was, that I pretty much NEVER shop at TJ Maxx, except that was just after momwolf came home from the nursing home and in the midst of making Christmas extraspecial for her, I bought two nightgowns at TJ Maxx, which I then had to return. So ... had I not done a good deed, I wouldn't have exposed that particular card to that particular store.

So anyway ... it was just about three or four months ago that I received two new Citibank cards on that same account in fairly quick succession. The explanatory letter admitted to a security breach on the part of a large vendor. They did not, in the content of that letter, reveal the name of the vendor. They also would not, when I contacted the Citibank Security Department directly, reveal the name of the vendor, but they did confirm that a breach had occurred.

[xoxoxoBruce]

Then where ever it was, it's someplace that Classic and myself don't shop, so he was right in assuming his card had not been compromised*.




*That they know of.

[tw]

Quote:

Originally Posted by xoxoxoBruce

Oh stop it. None of the posts were ambiguous, you're just stirring shit.

Where does classicman say security was or was not breeched? He says neither. You keep pouring that shit on the floor. It's no longer just ambiguous. It's a downright slippery slope.

Meanwhile, many have probably seen a credit card number changed without comment. It suggests how widespread these security problems may be (or that security is actually working).

Quote:

Originally Posted by richlevy

I am so glad that California and then Congress passed a law requiring notification in cases like this.

Card numbers changed without comment suggests a loophole may exist in those laws. For example, if they change your card number and claim a security breech was not yet known (only suspected), then they need not report the breech? If so, how many such breeches have actually existed unreported?

[tw]

Quote:

Originally Posted by wolf

So anyway ... it was just about three or four months ago that I received two new Citibank cards on that same account in fairly quick succession.

New cards on the same account - or new account numbers?