Today’s Breach News

Too many breaches … too little time ūüôā

First a new breach РBebe Stores ( confirmed that they had been breached, but  not much else.  They said it covered the US, Puerto Rico and the Virgin Islands. They did say that it did not affect their online store (no POS terminal to compromise, I suspect), nor did it impact Canada or R.O.W. (the rest of the world).  The store is offering free credit monitoring, although, as Brian Krebs pointed out, that has zero effect on your existing credit cards being used by miscreants.

There is one bit of good news – and maybe a sign that the retail industry is improving it’s detection capability. ¬†They said the breach period was only 18 days. ¬†Given that many of these breaches have gone on for months and a few for years, this is an improvement.

Hopefully, they will release more details soon.

On to Target. ¬†Ars Technica and other sources are reporting that the judge in the Target lawsuit case told Target that their creative legal maneuver didn’t work and the lawsuit by the banks can move forward. ¬†For those of you who did not see my earlier post, Target’s lawyers tried to claim that because Target and the banks suing them did not have a “special relationship”, the banks could not sue them. ¬†The judge said yes, they can. ¬†This has the potential to push more of the cost of breaches onto the retailers which would tend to move security up the food priority chain if it does (if you had to reimburse the banks for tens or hundreds of millions of dollars for fraudulent purchases, I suspect you would begin to pay more attention too).

Next, Sony.  Apparently an HR employee at Sony pilfered some data from his or her former employer, Deloitte, and that data got outed in the Sony hack-attack.  The data that got published because of this was payroll data on thousands of Deloitte employees.  Besides the fact that it showed a huge pay gap between male and female Deloitte employees, which could wind up as the basis of a lawsuit for Deloitte, I would assume that this employee signed an agreement not to steal proprietary information.  If I were Deloitte, I would be at least considering whether I should sue this ex-employee who is now at Sony.  It is possible that Deloitte gave this ex-employee or Sony their payroll data, in which case, the employee is in the clear, but I doubt it.  Can this thing get any weirder?

It can.¬† The NY Times is reporting that the GOP dumped “tens of terabytes” of Sony hacked data including passwords, social security numbers, salaries and performance reviews into pastebin.¬† That is way more than the 100 gigabytes that was reported earlier.¬† From a sheer bandwidth standpoint, either the hackers were walking out the door with disk drives in hand or they were streaming the hacked data for a while.

And lastly, for today, according to the LA Times, the payroll company that processes payments for SAG (Screen Actors Guild) members was breached. ¬†The company says that the hacker only had access to the system for two hours, but they also said¬†¬†“The information accessed included Social Security numbers, private accounts and addresses”.