By Joseph Pereira
September 26, 2007
TJX Cos., owner of the T.J. Maxx and Marshalls discount chains, failed
to upgrade its data-encryption system in time to thwart one of the
largest credit-card data thefts in North America, a Canadian government
Investigators also found that the Framingham, Mass.-based retailer was
holding on to its customers' personal information unnecessarily and for
too long, exposing data on at least 45.7 million credit-card numbers to
As a result of their findings, the privacy commissioners of Canada and
the province of Alberta -- which jointly conducted the seven-month probe
-- recommended a number of corrective actions by TJX, including the use
of a sophisticated coding system to protect driver's-license information
and the deletion of all credit-card data after 18 months.
"Basically, what we're asking for is standard practice in the industry,"
said Wayne Wood, a spokesman for the Office of the Information and
Privacy Commissioner of Alberta.
In a statement, TJX spokeswoman Sherry Lang said, "While we respectfully
disagree with many of the commissioners' factual findings and legal
conclusions, we have chosen to implement their recommendations."
Investigators found that TJX was using a weak encryption protocol to
protect its consumer data in July 2005, when hackers first broke into
its computer system. The protocol, known as Wired Equivalent Privacy, or
WEP, isn't recommended by securities experts even for wireless home
networks because it is so vulnerable to hackers.
TJX decided to upgrade to a more secure Wi-Fi Protected Access
encryption protocol at the end of September 2005, Canadian officials
said. By then, however, hackers had been able to access the company's
internal transaction database. They did so initially from outside two
stores in Miami, the probe found.
The breach was discovered by TJX this past December and publicly
disclosed in January.
TJX is now under investigation by the Federal Trade Commission and other
U.S. government agencies. Several lawsuits also have been filed by banks
for losses as a result of the credit- and debit-card data theft.
Last week, the company settled a number of class-action lawsuits filed
on behalf of U.S. and Canadian consumers whose names, addresses,
driver's-license information and credit-card information were stolen in
the computer-system break-in.
"The TJX breach is a dramatic example of how keeping large amounts of
sensitive information -- particularly information that is not required
for business purposes -- for a long time can be a serious liability,"
Jennifer Stoddart, Canada's privacy commissioner, said in a statement.
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com