Thieves steal 35.5M customers’ data from Vans sneakers maker VF Corporation, parent company of clothes and footwear brands including Vans and North Face, says 35.5 million customers were impacted in some way when criminals broke into their systems in December. The announcement was made in a Thursday 8-K/A filing with the Securities and Exchange Commission (SEC), and we're only left to …
What legitimate reason does a webstore need for its customers' SSN number?
Postal and email address, yes. Credit card numbers ideally should be kept on a different server, and passwords should be salted.
But I can see no reason for the SSN, nor what they would do with it
SSN is a good way to uniquely identify US residents without the pitfalls of things like the birthday paradox and culturally common names. The problem is that it's grown legs and become a form of ID verification, which is terrible. Because of said leg growing, it's a bad idea for it to be held by a shop but, in the long term, businesses need to move away from using it as a verification code.
” SSN is a good way to uniquely identify US residents…”
If I’m buying a pair of Vans online the seller doesn’t need to be able to identify me. I present a valid payment method and a delivery address (and maybe a billing address, if different from the delivery address). Identity verification should not be required by a seller of shoes under any circumstances.
"Credit card numbers ideally should be kept on a different server"
Whether on a different server or not, credit card numbers (PANs) should ideally not be stored at all once any given transaction is completed. If they must be stored beyond this, PCI-DSS requires that they be one way hashed or truncated (but not both), strongly encrypted with adequate key management, or tokenised. The aim, of course, is to make the PAN unreadable so it doesn't matter if it's leaked.
They don't need the SSNs of customers, and they don't collect them.
That was the premise of their smoke and mirrors, which was to avoid answering the actual question (what was actually stolen) by giving some worthless redirection.
The laws that mandate reporting these breaches should go further and force the company to be fully transparent.
However, that wouldn't let Congress "appear" to be working "for the people" while they instead commit treason (by selling out their country) and take bribes (lobbying) as they screw over Americans.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
