Advance Auto Parts Cops to Credit Card Theft

(MoneyWatch)  From retail tech blog StoreFrontBackTalk: The latest retailer to report credit card data theft, Advance Auto Parts, admits that stolen info dating back three to seven years was not encrypted, violating basic security practices.

An Advance Auto Parts spokeswoman told blogger Evan Schuman that the majority of the stolen information was old data from December 2001 through December 2004 -- none of it encrypted. It should have been deleted after a system conversion but wasn't. While the chain now encrypts payment data, it isn't compliant with PCI, the Payment Card Industry security standard. "We should be compliant in the next couple of months," the spokeswoman said.

Just complying with PCI wasn't enough to help Hannaford Bros., the New England supermarket chain whose card security was breached to the tune of 4.2 million records a month ago. The Hannaford job apparently involved malware installed on servers at every store.

Such incidents will continue to happen, retail IT expert Cathy Hotka said on Retailwire.com, until retailers face the music. "Many CIOs report that they struggle to obtain security funding from top management, while making do with considerably less IT money than other industries enjoy," Hotka says in a discussion on data breaches. "Retail CEOs are going to have to make a decision about whether they really want to be safe from Russian hacker gangs and others, or not."

Advance Auto Parts says the credit card theft affected 56,000 customers of 14 stores in eight states -- out of 3,261 total stores in 40 states. But David Utter of Security Pro News predicts that an investigation will reveal a bigger mess yet. "We will be pleasantly surprised if the breach is limited to these 14 stores," he writes in his Insider Reports column.