Advance Auto Parts Breach Included Unencrypted Payment Data From 2001
Written by Evan SchumanApril 11th, 2008
Unencrypted customer credit card information dating back to 2001 was among the customer payment data stolen from as many as 56,000 customers of Advance Auto Parts, according to one company official, who added that the chain is not PCI compliant.
The $4.8 billion automotive aftermarket parts chain—which dubs itself the nation's second largest such chain, with 3,261 stores in 40 states, Puerto Rico and the Virgin Islands—said the breach appears to have impacted customers from 14 of its stores in Georgia, Ohio, Louisiana, Tennessee, Mississippi, New York, Virginia and Indiana.
This Story Is Only Available For Premium Subscribers. Click Or Login In Below To Read The Rest Of This Story.
Already a Subscriber? Login Here
2 Comments | Read Advance Auto Parts Breach Included Unencrypted Payment Data From 2001
Leave a Reply
Readers, specifically those who want to comment on a story:
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
-Ed
April 14th, 2008 at 11:30 am
Part of PCI compliance should be searching for “rogue” databases containing cardholder data. These can be on mainframes, servers, or laptops. Sensitive number finders (e.g., PANs or SSNs) can help. This experience reinforces the notion that it isn’t just what you know that can hurt you, but what you don’t know.
April 16th, 2008 at 1:17 pm
Actually PCI DSS compliance *Requires* just that for a Level 1 merchant, which Advance will now become by virtue of their breach. Presumably they were not a Level 1 prior to the breach which meant they had a more relaxed standard that does not require the search.