Dan Goodin reporting for Ars Technica:
Five Eastern European men have been charged with operating a global hacking operation that infiltrated some of the world’s biggest financial institutions, pilfered data for more than 160 million credit cards, and created hundreds of millions of dollars in losses.
“NASDAQ is owned,” Aleksandr Kalinin, a 26-year-old resident of St. Petersburg, Russia, allegedly reported in a January 2008 instant message after finally obtaining administrative access to the stock exchange’s network. Like a rock climber slowly scaling a craggy cliff, he spent months methodically escalating his access into the highly sensitive system. In an instant message he sent six months earlier, after initially gaining less-privileged access, he said, “30 SQL servers, and we can run whatever on them, already cracked admin PWS but the network not viewable yet. those dbs are hell big and I think most of info is trading histories.” “PWS” and “dbs” are presumed to be shorthand for passwords and databases respectively.
Wouldn’t all of these stolen credit card stories go away if retailers stopped storing the information in their databases? Why do they need to keep that information anyway? Surely the reputation damage related to getting hacked outweighs any benefits from retaining the information.