Forgot your password?
typodupeerror
Government Security Your Rights Online

Data Breach Could Test Massachusetts Law 73

Posted by CmdrTaco
from the keeping-the-secrets dept.
Gunkerty Jeb writes "The Massachusetts Attorney General has been notified that financial data on 1,800 residents was exposed in a database breach linked to the CitySights NY sightseeing firm. Could this be the test case for enforcement of the State's nine month-old data privacy law? The leak of financial information on more than 100,000 customers of the CitySights sightseeing tour company could prove to be an early test of the nation's strongest data privacy law."
This discussion has been archived. No new comments can be posted.

Data Breach Could Test Massachusetts Law

Comments Filter:
  • by PatPending (953482) on Tuesday December 21, 2010 @07:28PM (#34635714)

    Related story: Sightseeing Firm Overlooks Security, 110k Credit Card Numbers Stolen [threatpost.com] (emphasis added)

    The database contained a variety of customer financial data, including the customer's name, address, e-mail address, credit card number, as well as the expiration date and card verification value (CVV2) data. If true, that would mean that Twin America was in violation of Payment Card Industry (PCI) regulations on data retention, which prohibit retailers from permanently storing the CVV2 data along with other card data, because it makes it far easier to generate fraudulent transactions when combined with the card data.

    Twin America said it has filed a complaint with the FBI's Internet Crime Complaint Center and hired Kroll, Inc. to investigate the incident. It has also notified individuals affected by the breach and patch discovered vulnerabilities on its Web server, deployed an application layer firewall, limited access to its Web based administrative panel and changed and hardened administrative passwords throughout its organization.

  • by MichaelKristopeit314 (1963188) on Tuesday December 21, 2010 @07:41PM (#34635842)
    if amazon.com doesn't store card data, then how am i allowed to make purchases using existing saved card data?
  • Re:Test the Law (Score:2, Interesting)

    by Anonymous Coward on Tuesday December 21, 2010 @07:42PM (#34635848)
    I work for a MA company that deals with personal data for several fortune 100 companies. (posting AC for obvious reasons)
    The Law is a joke. The rules are so vague that no matter what precautions are taken you could be found in violation. Who defines "reasonable?" What is adequate "encryption?"

    This law is just another example of rushed "Think of the children" (for children read anyone) laws that get passed these days.

FORTH IF HONK THEN

Working...