EWeek on The Gap Breach
Lisa Vaas has a great article in eWeek, “Let’s Demand Names in Data Fumbles”
That unnamed vendor should indeed be taken to task. The Gap is now in the process of contacting an enormous number of people in the United States and Canada whose information may have been compromised, and it’s providing credit reporting services to those affected for up to a year, at what surely must be a significant cost—particularly galling, given that the vendor broke the terms of an agreement that the information that wound up stolen be encrypted.
Highly worth reading. There’s a new normal emerging around breaches, and it’s going to be good for computer security.
Even if you’re a victim today, remember that there’s no way to improve except by studying what’s going wrong.
In closely related news, StoreFront Backtalk [http://storefrontbacktalk.com/] has a story about merchants suggesting that the card associations, live Visa, ought to do better. Today, they requiring merchants to hold card numbers and protect them. Why not hold less sensitive data? See “Retail Group Lobbying To Have Credit Card Data No Longer Stored.” [link to http://storefrontbacktalk.com/story/100407PCI.php no longer works]
First thing I did was try to identify the vendor. I went to the Gap’s jobs site, and saw that they used Taleo. I Googled “taleo GAP”, thinking that maybe Taleo would tout the fact that they had such a high-profile client, etc.
Instead, I found a press release from Taleo, explicitly stating that they were not the breach source. This press release was issued the day of (or perhaps the day after) news of the breach became public.
The fact that a company which has completely clean hands nonetheless felt it necessary to spend their time and money on this kind of reputation innoculation is yet another argument against GAP’s closed mouth policy.
The company Gap I kind of know what is going on i am working for the credit reporting services that is giving out the membership for the people and children that were effected with the data breach.. It is so hard to help the customers understand that we are doing the best that we can and getting them signed up.. I know when your effected with this your very upset and we do understand that… We have dealt with all different data breaches. This one is so important b/c of the kids. Just to let you know we do understand and we will help you as much as we can..