TJX's Security System Faulted in Canada Probe

TJX's Security System Faulted in Canada Probe
TJX's Security System Faulted in Canada Probe 

By Joseph Pereira
September 26, 2007

TJX Cos., owner of the T.J. Maxx and Marshalls discount chains, failed 
to upgrade its data-encryption system in time to thwart one of the 
largest credit-card data thefts in North America, a Canadian government 
investigation found.

Investigators also found that the Framingham, Mass.-based retailer was 
holding on to its customers' personal information unnecessarily and for 
too long, exposing data on at least 45.7 million credit-card numbers to 

As a result of their findings, the privacy commissioners of Canada and 
the province of Alberta -- which jointly conducted the seven-month probe 
-- recommended a number of corrective actions by TJX, including the use 
of a sophisticated coding system to protect driver's-license information 
and the deletion of all credit-card data after 18 months.

"Basically, what we're asking for is standard practice in the industry," 
said Wayne Wood, a spokesman for the Office of the Information and 
Privacy Commissioner of Alberta.

In a statement, TJX spokeswoman Sherry Lang said, "While we respectfully 
disagree with many of the commissioners' factual findings and legal 
conclusions, we have chosen to implement their recommendations."

Investigators found that TJX was using a weak encryption protocol to 
protect its consumer data in July 2005, when hackers first broke into 
its computer system. The protocol, known as Wired Equivalent Privacy, or 
WEP, isn't recommended by securities experts even for wireless home 
networks because it is so vulnerable to hackers.

TJX decided to upgrade to a more secure Wi-Fi Protected Access 
encryption protocol at the end of September 2005, Canadian officials 
said. By then, however, hackers had been able to access the company's 
internal transaction database. They did so initially from outside two 
stores in Miami, the probe found.

The breach was discovered by TJX this past December and publicly 
disclosed in January.

TJX is now under investigation by the Federal Trade Commission and other 
U.S. government agencies. Several lawsuits also have been filed by banks 
for losses as a result of the credit- and debit-card data theft.

Last week, the company settled a number of class-action lawsuits filed 
on behalf of U.S. and Canadian consumers whose names, addresses, 
driver's-license information and credit-card information were stolen in 
the computer-system break-in.

"The TJX breach is a dramatic example of how keeping large amounts of 
sensitive information -- particularly information that is not required 
for business purposes -- for a long time can be a serious liability," 
Jennifer Stoddart, Canada's privacy commissioner, said in a statement.

CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - 

Site design & layout copyright © 1986-2014 CodeGods