Wednesday, April 02, 2008

Advance Auto Parts Store Data Breach

From The Register:

Advance Auto Parts, the US motoring parts retailer, is the latest firm to give up customer credit card data to hackers.

The bad guys gleaned financial information on up to 56,000 customers, through an attack affecting 14 stores nationwide...

Advance Auto Parts website provides more information. So this only affects a handful of stores. Interesting. Methods and perps unknown.

I'm a big fan of companies being held accountable to standards of due care in the form of PCI standards and legal obligations. Significant penalties encourage companies to do the right thing.

Having worked at companies whose execs and upper management didn't give a rip about data security, due care, or anything that didn't involve raking in money, and having heard from more than a few infosec peers that this is the rule, not the exception, the only way my data and yours is going to stay protected is through penalties.

Penalties that significantly affect the bottom line --- or better, penalties that personally affect CEOs: in the form of wearing orange jumpsuits. The only reason SOX got any traction in companies is the threat of jail time for management. HIPAA has been largely ignored by a surprising number of healthcare companies. Bigger fines and jail time for execs would fix that fast.

And remember, we wouldn't even be hearing about these breaches in the first place if it weren't for California's SB1386 and all the copycat state laws that states created thereafter. The effect of these laws should be obvious to anyone following infosec news before and after 2003. Companies were hardly voluntarily disclosing data breaches --- until they were required to by law.

Even then, I'll bet cash money there are still companies ignoring this requirement. I've already posted about delayed notifications. Penalties and laws don't fix everyone and everything, but they do help to counter temptation and encourage honesty.

1 comment:

  1. This comment has been removed by a blog administrator.


Note: Only a member of this blog may post a comment.