This is an enlightening (if fictional) data breach story at a retailer, involving PCI, data theft, lawyers, breach disclosure and a lot of painful decisions by the exec team. Those who never were in such situations should read in order to at least take a peek at what might happen to your organization in the near future ....
Especially fun things to notice:
- an opinion by their legal that "If we disclose, we’ll probably get sued"
- environment complexity which doesn't allow them to pinpoint the breach
The sad part is that the story is kinda unfinished... Please, please, write it all the way to the end :-)
UPDATE: another set of fun comments on this story is available here. Chris makes an insightful comments about the team going thru "all seven distinct stages of the data breach grieving process" :-)