Shostack + Friends Blog Archive


Sports Authority in another Point-of-Sale data retention SNAFU?

I posted this to the Dataloss list earlier today.

Sports Authority Inc. confirmed this week that it recently launched an investigation into its information system after four international banks alerted it to a potential intrusion into its network in December.
With help from the Secret Service and Cybertrust Inc., the sporting goods company determined that there had been no unauthorized access into its system, but that it was violating Payment Card Industry standards by storing magnetic-stripe information.
Chas Withers, a spokesman for Sports Authority, said it was surprised by the discovery, because a Visa U.S.A.-approved assessor had told the company it was not storing such information.

More at (paywall)
I’m not counting this as a breach, but that is subject to revision. Does this mean that if I leave PII open for months, I can get out of my disclosure requirement by hiring a consulting firm? Looks like Chubb Group might have some competition in the insurance business :^). Note how the previously-hired assessor is alleged to have been 100% wrong on a critical point.
By the way, the ‘another’ in the title refers to this episode, among others.