Shostack + Friends Blog Archive


A compromising position

Does Pete Lindstrom need to buy a dictionary? You make the call.
In a recent post at Spire Security Viewpoint, he suggests that the folks at might be liars:

I am starting to see (and hear) this “100 million records lost since February, 2005” figure referenced in a number of places such that it has somehow gained credibility. What I wonder is if the Privacy Rights Clearinghouse is blatantly lying by listing the CardSystems’ 40 million records (I am not statistician, but I think that is a full 40% of the total ;-)), or is just shoddy in its tracking (wink, wink, nudge, nudge).

I may have missed it, but I don’t see claiming that any records were lost, by Cardsystems or anyone else.
What they do say on the widely-cited breach chronology page is:

The running total we maintain at the end of the Chronology represents the approximate number of *records* that have been compromised due to security breaches….

(my bold)
“Lose” and “compromise” have different meanings. Sure, there may only have been a confirmed loss of 260K records. However, “compromise” (according to the good folks at means:

[T]o expose or make vulnerable to danger, suspicion, scandal, etc.; jeopardize

Is this not precisely what is said to have happened in the CardSystems instance?
Consider for example these words from the FTC complaint against CardSystems:

Since 1998, respondent has stored authorization responses for up to thirty (30) days in
one or more databases on its computer network. Each day, these databases contain as
many as several million authorization responses.
In September 2004, a hacker exploited the failures set forth in Paragraph 6 by using an
SQL injection attack on respondent’s web application and website to install common
hacking programs on computers on respondent’s computer network. The programs were
set up to collect and transmit magnetic stripe data stored on the network to computers
located outside the network every four days, beginning in November 2004. As a result,
the hacker obtained unauthorized access to magnetic stripe data for tens of millions of credit and debit cards.

(My emphasis)
Now, CardSystems never admitted any wrongdoing, and its successor company entered into a consent agreement with the FTC, but if you are a person of ill intent (as I think we can say the hacker was), and you have unauthorized access to tens of millions of credit and debit cards’ mag stripes, have you not “jeopardized” those records, exposed them, or made them vulnerable to danger? If not, what the heck does it take?
As an aside, I think “compromise” is excellent word choice. Tying back to the notification trigger discussion in the CIPPIC report, I may prefer it to both “access” and “acquire”. I will probably address this question is an extremely tedious and narrowly-focused post in a few days.

2 comments on "A compromising position"

Comments are closed.