Data Breach Could Test Massachusetts Law

Gunkerty Jeb writes "The Massachusetts Attorney General has been notified that financial data on 1,800 residents was exposed in a database breach linked to the CitySights NY sightseeing firm. Could this be the test case for enforcement of the State's nine month-old data privacy law? The leak of financial information on more than 100,000 customers of the CitySights sightseeing tour company could prove to be an early test of the nation's strongest data privacy law."

Violation of Payment Card Industry regulations?

[PatPending]

Related story: Sightseeing Firm Overlooks Security, 110k Credit Card Numbers Stolen (emphasis added)

The database contained a variety of customer financial data, including the customer's name, address, e-mail address, credit card number, as well as the expiration date and card verification value (CVV2) data. If true, that would mean that Twin America was in violation of Payment Card Industry (PCI) regulations on data retention, which prohibit retailers from permanently storing the CVV2 data along with other card data, because it makes it far easier to generate fraudulent transactions when combined with the card data.

Twin America said it has filed a complaint with the FBI's Internet Crime Complaint Center and hired Kroll, Inc. to investigate the incident. It has also notified individuals affected by the breach and patch discovered vulnerabilities on its Web server, deployed an application layer firewall, limited access to its Web based administrative panel and changed and hardened administrative passwords throughout its organization.

Re:Violation of Payment Card Industry regulations?

[PatPending]

Not law but:

Penalties for Non-compliance

25. Are there fines associated with non-compliance of the PCI Data Security Standards?

Yes. Visa, MasterCard, and Discover Network may impose fines on their member banking institutions when merchants do not comply with PCI Data Security Standards. You are contractually obligated to indemnify and reimburse us, as your acquirer, for such fines. Please note such fines could be significant.

26. Are there fines if cardholder data is compromised?

Yes. If cardholder data that you are responsible for is compromised, you may be subject to the following liabilities and fines associated with non-compliance:

• Potential fines of up to $500,000 (in the discretion of Visa, MasterCard, Discover Network or other card companies).
• All fraud losses incurred from the use of the compromised account numbers from the date of compromise forward.
• Cost of re-issuing cards associated with the compromise.
• Cost of any additional fraud prevention/detection activities required by the card associations (i.e. a forensic audit) or costs incurred by credit card issuers associated with the compromise (i.e. additional monitoring of system for fraudulent activity).

Source: https://www.wellsfargo.com/biz/help/merchant/faqs/pci#Q25

Re:Violation of Payment Card Industry regulations?

[PatPending]

The credit card merchant services provides a hash value that is subsequently used. You may store the expiration date and last four digits.

I'm not.

. the other side of me knows that you can only deter so much, if someone really wants in, they will gain access one way or another...

Tough shit. If a company is going to store that information, then they need to protect it. There's absolutely no reason what so ever for a sightseeing company to store credit card information. None. Customer comes back next year, well get the card number again - the card could be expired anyway.

And companies who keep it on file for things like automatic renewals at magazines - fucking Scientific American does this whether you like it or not when you subscribe online - then they must protect that data. Someone breaks in? Too fucking bad. It's their fault - no excuses.