Glazed and confused: Hole lotta highly sensitive data nicked from Krispy Kreme

Re: Alarming gaps

.. and, given their audience and the consequences, probably their BMI ..

Re: Alarming gaps

This isn't customers... this is mostly employees & their families

Nah, they'll just book a room at Trump tower for a few nights and buy some Trump coin and that'll be it.

The US no longer has a justice system, only a legal system.

Certainly the credit card companies should take action.

Realistically, they should suspend processing, demand their chosen experts examine the code and not allow processing to resume till they are satisfied its safe. (No different to Boeing having to ground planes until they can prove they are safe to be in the air.) Regular inspections should continue for the next five years. And their fees should be raised till then.

For this alone Krispy Kreme could/should face $9M - $15M in Payment Card Industry Data Security Standard (PCI-DSS) fines. It also risks losing credit/debit card privileges, even if only temporarily, which would have a bigger, more immediate impact on its business.

Re: Until firms and CEOs are PERSONALLY legally liable

Dude, calm down, you'll have a coronary

Re: Until firms and CEOs are PERSONALLY legally liable

This is what too many Krispy Kremes does to you. As for Marks and Sparks - dust not settled on that yet, "where there is blame there's a claim" or in the UK legal profession "Where there is harm, its a charm".

Re: Until firms and CEOs are PERSONALLY legally liable

"thats why I lie on my DOB, my graduation date, bloody everything I can when I sign up"

It wasn't until later in life that I met somebody that triggered an "ah hah" moment about creative lying. I was trained in childhood to always be truthful. That turns out to be a lot like using idealized components in electronics. It's a good first approach that must be discarded as one learns more and can discern when it's appropriate to use a more detail model, ie, get a bit more creative.

Today, phone numbers are the universal tracking tags. People can keep their numbers nearly forever if they don't shift countries and have to at least add a local number. Do that and you have two. Add a business line and the bad guys can triangulate you fairly easily. It might be that in future, people are assigned one at birth and the dossier starts from there. The phone number I give out when there's no need for some requester to have my number is a test number that just rings. Also handy that the area code is for Washingtion, DC. I have recently signed up for a new number to leave my old one behind over the course of a year. I've had the old one for far too long. I have long lived email addresses that I use with friends and family, others for handing out to utility companies and so forth and a huge number of temp addresses I set up and throw away several times per year. Anything that only needs my email for a short period of time gets a temp address. If I need the connection longer, I update them with my new temp address. If it becomes a semi-permanent thing, they'll get one of the longer permanence ones. The beauty of having my own URL's rather than using gmail or another free service. I do have a gmail address. It's only used for one thing on a phone that has no SIM. When I need to update a couple of free apps, I'll borrow a cup of WiFi from somewhere, log into the play store and get updated.

I'm as lazy as the next guy so I try to figure out ways to keep off lists that don't take lots of effort. Years and years ago, I stopped using my physical address for anything where there wasn't a law (driving license, etc). My driving license shows my PO Box address since that's allowed. Law enforcement can see my physical address if they run my license so I hope they don't get hacked (again?). My objective was to get off and stay off mailing lists. UPS, FedEx and DHL sell mailing lists which I why I have also signed up at the post office to allow them to receive packages on my account. I just use the physical address of the local post office with my box number appended.

A variation on Homer's "Ode to the Donut"...

"Shambling through life, you klutz,

No matter how futile your goals,

Keep your eye upon the nuts^†,

And not upon the arseholes."

_{† particularly those holding sharp knives or high office.}

Re: Why are they called donuts when there aren't any nuts in them?

An archaic definition of nut is "a small cake or biscuit"

Re: Better Question

A better question would be, why is a vendor of doughnuts even storing sensitive information in the first place?

In earlier and more innocent days I assumed the model for payments in e-commerce was (or would be) the customer's order and pricing would be acquired by the merchant's site (shopping trolley), a unique transaction id generated and included in an cryptographically protected payment request that is forwarded to a secure payment gateway site where the customer might complete the transaction with a secure receipt returned to the merchant.

Clearly in this model which to me still seems the sanest, not only doesn't the merchant retain card details but never has those details to store in the first place.

Payment gateway provides should be highly regulated and precluded from conflicts of interest such as owning or being owned by a merchant. Ideally a purely standalone entity or an arm's length entity operated by a consortium of fully licenced resident financial institutions (commonly banks.)

As for the other information any entity that stores client information, that entity should have the statutory reason for that data retention and period of storage annotating that data. That is only client data that is permitted by law to be stored may be retained for the period and for the purposes permitted and no other; the onus of proof is on the entity. The sanctions need to be entirely criminal and flow up organisational chart to the chair and board - similar to WH&S culpability in some jurisdictions.

For my part I am not a vindictive man but I would be entirely happy for whole Krusty clown show to be sold off, the c-suite and board sold for spare parts with the proceeds shared between the victims and employees.

we do, but you have to earn it. Which I am fine with. I just wish they would quit raising the age to collect.

"How come Americans have a Social Security number, yet no social security?"

Well, I suppose they could have named it "yet another tax taken from your pay", but that didn't have a friendly ring to it.