Tuesday, February 20, 2007

Another sad statistic, the Stop and Shop data breach

Last weekend, Stop and Shop (Quincy, MA) reported a data-breach at two of their stores in Rhode Island. After an initial investigation, they tracked the theft to two pin-pads.

Consumer Affairs has the most informative story (my opinion) on this current breach. They are reporting that with the assistance of the Secret Service, four more compromised pin-pads have been identified (all in the Rhode Island area).

Martin H. Bosworth makes an interesting point in his article that the United States hasn't been as proactive as our European friends in instituting new technology to stop debit/credit card fraud, such as chip and PIN.

Of course, implementing PCI data protection standards are not exactly 100 percent, either.

PCI data protection standards were implemented by the payment card industry, and even when they are violated, the only consequence seems to be that the merchant will be fined. The standards are designed to stop merchants from storing information they aren't supposed to.

Consumer Affairs story, here.

Of interest (in this case) is that (it appears) PIN pads were tampered with inside the stores, which makes me wonder if there is some sort of inside connection?

Tom Fragala (CEO, Truston Identity Theft Services) did a recent post on his blog, where he linked to a video on how easily a remote ATM machine can be compromised in a store, here.

Of note, Truston is the only service for victims (that I know of), where someone doesn't have to submit all their personal information to a database, which could be compromised, also.

This is a good video, but note the ATM was in a pretty concealed area, and I'm guessing that these pin-pads were in the check out lanes in stores?

Attrition.org and PogowasRight provide information on data breaches (frequently updated), here.

Someone should start a chronology of how many of the people stealing this information get caught. Unfortunately, the list wouldn't be very long.

*(Update): I must have missed that Attrition.org is recording arrests, but the results are not encouraging.

The most recent news about legislation to protect the people being victimized by this growing problem isn't good.

A recent article by Scott Bradner (Network World) about how special interests are preventing the passage of any meaningful legislation argues this point, eloquently:

The Leahey privacy bill: coddling the criminals?


Anonymous said...

I love the blog that you have. I was wondering if you would link my blog to yours and in return I would do the same for your blog. If you want to, my site name is American Legends and the URL is:


If you want to do this just go to my blog and in one of the comments just write your blog name and the URL and I will add it to my site.


Anonymous said...

Re a chronology of people getting caught: the Attrition.org database does have a field for entering whether there's been an arrest or not, but as you would expect, there have not been a lot of "yes" entries.