Shostack + Friends Blog Archive

 

Here's a name: Wal-Mart

Via lyger of the Dataloss mailing list, I learned of an article claiming that Wal-Mart may be the big-box retailer [link to http://security.ithub.com/article/Bank+Card+Reissues+May+Be+Linked+to+WalMart+Breach/171328_1.aspx no longer works] involved in several high-profile card reissues stemming from a breach which led to an international series of card frauds.

In what appears to be a widening incident, Bank of America, MasterCard and Visa all announced this week that they have been informed of a potential security breach at a U.S.-based retailer.
The companies refused to name the retailer involved, but at least one bank said that systems belonging to Wal-Mart Stores, the world’s largest retailer, may be to blame.
A spokeswoman for Regions Financial Corp. confirmed that the bank reissued debit cards in late January after being informed by credit card processor CardSystems Inc. in November that some customer accounts were compromised in a security breach at Wal-Mart and Sam’s Club Stores.
[…]
MasterCard International is also aware of a potential security breach at a U.S.-based retailer, the company said in an e-mail statement.
The company notified banks that issue MasterCard cards to monitor for any suspicious account activity and take the necessary steps to protect cardholders, according to the statement.
However, it was unclear on Feb. 10 whether a breach at Wal-Mart was also behind reissues at the other financial institutions. A Wal-Mart spokesman said he was unaware of an information breach linked to Regions.
Calls to CardSystems Inc. were not returned.
Details of the problem remained scant, with banks and credit card companies refusing to offer details as to how the customer data was exposed or which of its partners was responsible for the situation.
Riess at Bank of America declined to name the retailer or discuss the timing of the breach. She referred questions to Visa and MasterCard. Officials at those companies did not immediately respond to requests for comment.
MasterCard declined to discuss the details of the incident, citing an “ongoing law enforcement investigation.

SecurityIT Hub [http://security.ithub.com/article/Bank+Card+Reissues+May+Be+Linked+to+WalMart+Breach/171328_1.aspx]
Wow. Wal-Mart. To be specific, is it Sam’s Club, which was reported as being breached in early December 2005, and where Wal-Mart denied that a computer system of theirs had been compromised? Where Gartner and American Banker chided Visa and MC for hordeing info and playing favorites? Where PCI standards were not followed and stripe data stored?
The connection between the BofA/Wamu/Wells Fargo card reissues, and the earlier one by Regions Bank, and the months earlier ones by the Alabama Credit Union, et. al. is one I semi-drew last night. I didn’t think there was enough to pin it on Sam’s Club, especially since BofA said a processor wasn’t involved. How would a retailer lose so much info, especially since reports in December were that the detected frauds likely were from customers who bought gasoline at Sam’s Club?
Sam’s Club said this [link to http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/12-02-2005/0004227070 no longer works] in a press release on 12/2/2005:

SAM’S CLUB stressed that the electronic systems and
databases used inside its stores and for http://samsclub.com are not involved.

So, databases “inside its stores” and the web site didn’t get penetrated. That leaves, uh, POS devices, and….dare I say it…wireless? If we find out that they got p0wned via wireless (a la Lowes [link to http://www.securityfocus.com/news/9281 no longer works], back in 2004?) I will fall off my chair.
This could be huge. Wal-Mart wants to get into the banking business, and (if true) this isn’t exactly a ringing endorsement.
Early in December, I had some fun with ID Analytics and used their numbers to argue that this breach would have exposed 600,000 accounts. It doesn’t seem like fun, now.
Update 2/19/2006: More recent reports [link to http://news.google.com/news?hl=en&ned=us&q=officemax+breach&btnG=Search+News no longer works as expected] are saying OfficeMax go hit, and the Sam’s Club tie-in is unlikely. Non-blog events will postpone further consideration of this, by yours truly, so those seeking additional speculation (Hi, Pete!) may need to wait ;^).

3 comments on "Here's a name: Wal-Mart"

  • Adam says:

    Fascinating. Is the hatred of Wal-Mart, and their playing fast and loose with what the meaning of “is” is enough to make this a Choicepoint-scale event? The thing that holds it back (I think) is the (perhaps) less intrusive nature of the stolen data. At the same time, Wal-Mart is famous for how much they datamine. So perhaps there was more than debit card numbers?

  • Pete says:

    So is this pure conjecture masquerading as pseudo-fact or what? If there is evidence, please clarify… Otherwise, this is pretty yellow, isn’t it? Is this responsible “reporting” or is there more to it? I think you owe your readers more than rumors, right?f (I know you guys really are smart enought to sift through this and provide thoughtful, legitimate analysis rather than repeating what others say simply for the “joy” of the moment.) Please confirm or refute this inuendo. This “claiming…” and “may be…” stuff is for chumps hopeing to score on sensationalism.

  • Iang says:

    It seems odd that the banks are putting the lid on who the retailer is. The current environment of disclosure is pretty clear – open up!
    So why are they keeping it secret? Could there be a reason – that isn’t an excuse? I myself wonder if they banks are game-playing here so as to raise the profile of this case.
    Pete – yes, it is all conjecture. That’s what happens when people keep security breaches secret. We are left with psuedo-fact and conjecture. We don’t know what else to do.
    What do you suggest? We play the banks’ game and suppress the conjecture and thus protect the retailer? And thus let them supress a proper response?

Comments are closed.