Shostack + Friends Blog Archive


Polo Ralph Lauren Breach: The Rules Have Changed.

The security failure at Polo Ralph Lauren is going to be a big story. Not Choicepoint big, but big. According to ComputerWorld, in “Scope of credit card security breach expands:

[An emailed] statement also noted that Polo Ralph Lauren has been working with law enforcement officials and credit card companies since fall 2004 to determine the origin and extent of the compromise. “The company is confident that its credit card system is secure, and that our customers’ credit card information is properly protected,” it added.

According to [HSBC spokesperson] Nicholson, the retailer’s POS systems retained and stored credit card information rather than purging the data immediately after processing each transaction. The problem affected all credit card transactions at the retailer between June 2002 and December 2004, not just those involving HSBC-issued credit cards, he said.

The article also quotes Discover as acknowledging the problem.

So, what’s going to make this a big story? First is the confused and defensive way information is trickling out. Second is that the problem has apparently gone on for two years, as Chris Walsh notes in “POS Security, indeed.” Third is the apparent violation of California’s disclosure & notification law.

But most importantly, while the banks weren’t looking, the American people, our media, and our elected representatives got together and decided that we get to hear about breaches that affect us. Sorry we forgot to invite you, American Bankers Association. Our bad. But we’ve taken a vote, and it was pretty overwhelming. We don’t like it when you treat us like mushrooms. All that dark and dank doesn’t agree with us. Statements like “our customers’ credit card information is properly protected” are clearly lies. If it were true, there’d be no story to report on.

Americans are mostly forgiving. If Ralph Lauren had come out and said “Sorry, we made a mistake, here are the facts,” they’d be forgiven. People chose to shop there. People chose to do business with HSBC for their GM Mastercard; with Discover; and with all the other credit card companies. They understand there’s a risk of a breach, and are willing to accept that. (Especially because it’s credit cards, which are mostly easily changed, rather than social security numbers.)

So this story is a story not because of the breach, but because these banks didn’t get the memo: the rules have changed.