Bad timing: JC Penney CEO talks IT security on eve of data breach reports

Security begins at home, but it sure doesn’t end there.

That’s what Mike Ullman, the Chairman and CEO of JC Penney Company must be thinking today as he reads news reports that credit card data on 650,000 of his company’s customers (and possibly those of other retailers) has gone missing.

GE Money, which handles JC Penney’s credit card data says that a backup tape stored at an Iron Mountain warehouse went missing back in October. According to this report, it went missing and hasn’t been seen since.

Ironically, as the breach was first being reported, I was in San Francisco’s Metreon, watching a slick documentary movie, called The New Face of Cybercrime, done by Fortify Software. In the movie, Ullman speaks at length about how important security was to his company. It’s cool to see a CEO talking about IT security, but talk about bad timing.

You can see a clip of it here. Ullman talks at 0:37, saying, “It is clear that there are people trying to take advantage of mistakes that may have been made in the code by finding a way through the firewall into our information.”

I wonder if anyone is trying to take advantage of the mistakes that may have been made by their partners?

UPDATE

I just filed a story on this breach, and J.C. Penney is one of 230 retailers affected (“230 Retailers Affected by Data Breach after Tape Lost”). Their accounts represent just a tiny fraction of all that have been compromised.  They just had some bad luck here. Apparently, the AP reporter who broke the story was tipped off by a JC Penney customer.

–Robert McMillan