TJX Report: Wake-up Call for All Institutions

Credit EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

Too Much Data, Too Little Security -- a Recipe for Disaster

The risk of a breach of sensitive personal information held by TJX Companies Inc. was foreseeable, but the company failed to put in place adequate security safeguards, according to the report released this week by Canada’s Office of the Privacy Commissioner of Canada (OPC) and the Office of the Information and Privacy Commissioner of Alberta (AB OIPC).

“The company collected too much personal information, kept it too long and relied on weak encryption technology to protect it – putting the privacy of millions of its customers at risk,” says Privacy Commissioner of Canada Jennifer Stoddart.

Of the more than 45 million consumers affected by the TJX data breach, announced in January, many of those consumers affected reside north of our borders in Canada, shopping at the Winners and HomeSense stores. So, now the OPC and the AB OIPC have released a much-publicized report on their joint investigation of the TJX parent company and its Canadian-based subsidiary – retailer Winners Merchant International. Read Report: Canadian Report

“Criminal groups actively target credit card numbers and other personal information,” says Stoddart. “A database of millions of credit card numbers is a potential goldmine for fraudsters, and it needs to be protected with solid security measures.

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Healthcare Enews General Healthcare Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

“The TJX breach is a dramatic example of how keeping large amounts of sensitive information – particularly information that is not required for business purposes – for a long time can be a serious liability.”

The report concisely lays bare the inadequacies and flawed security that led up to the breach. One statement made early in the report sums it up: “One of the best safeguards a company can have is not to collect and retain unnecessary personal information. This case serves as a reminder to all organizations operating in Canada to carefully consider their purposes for collecting and retaining personal information and to safeguard accordingly.”

A “Wake-up Call”

The joint investigation was launched after TJX disclosed in January that its computer system had been breached. This breach involved more than 45 million credit and debit card numbers, as well as other personal information such as driver’s license numbers collected when customers returned merchandise without receipts.

“This case is a wake-up call for all retailers. They must collect only the personal information necessary for a transaction,” says Frank Work, the Information and Privacy Commissioner of Alberta.

The report also hits TJX for not only collecting more customer information than was needed for completing a transaction, but also for failing to take adequate measures to protect the collected data. The commissioners fault TJX for not having a monitoring system in place that could detect the breach earlier and for failing to implement the Payment Card Industry data security standards mandated by major credit card companies. Banks and credit unions here in the U.S. have filed lawsuits against TJX as a result of this breach (see related story: New England Banks File Class Action Suit Against Retailer TJX ).

The investigation concludes that TJX did not comply with the federal private sector privacy law, the Personal Information Protection and Electronic Documents Act PIPEDA), and Alberta’s Personal Information Protection Act (PIPA). The investigation finds:

• TJX did not properly manage the risk of an intrusion against the amount of customer data that it collected.
• The company failed to act quickly in converting from a weak encryption standard (Wireless Encryption Protocol or WEP) to a stronger standard (Wi-Fi Protected Access or WPA/WPA2). The conversion process took two years to complete, during which time the breach occurred.
• TJX did not meet its duty to monitor its computer systems vigorously. An adequate monitoring system should have alerted the company of an intrusion prior to December 2006.
• The company did not adhere to the requirements of the Payment Card Industry Data Security Standard, which was developed to address the growing problem of credit card data theft.