BankInfoSecurity.com - Information Security News, Regulations, & Education

Bank Information Security Articles

TJX Settles With Feds

Credit
Eligible
As a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info
No Fines, But 20 Years of Audits Result from Data Breach
March 28, 2008 - Linda McGlasson, Managing Editor

This article was originally created for BankInfoSecurity.com, and contains information that should interest our GovInfoSecurity.com readers.
Share

Comment on this article

Related Story:Reaction to TJX Settlement: "A Very Light Slap on the Wrist"
The Federal Trade Commission has settled with discount retailer TJX, citing the retailer failed to provide "reasonable and appropriate security for sensitive consumer information."

While no fines were levied, the FTC will require the retailer to implement comprehensive information security programs and obtain audits by independent third-party security professionals every other year for 20 years. The Framingham, MA-based company's 2,500 stores include the T.J. Maxx and Marshalls chains.

Last January, TJX revealed its computer servers had been hacked, and more than 45 million customer records were breached. (See: TJX Settlement)

Data broker Reed Elsevier PLC and its Seisint subsidiary also were cited for the same security failures and face the same punishment. (See FTC press release: Agency Announces Settlement of Separate Actions Against Retailer TJX, and Data Brokers Reed Elsevier and Seisint for Failing to Provide Adequate Security for Consumers' Data)

This is the second settlement TJX has made as a result of the largest consumer breach in history. The first settlement, with VISA, came last November and cost the retailer $40 million. (See TJX, Visa Agree to $40.9 Million Payout for Data Breach).

Click to Get Updates on the Latest Information Security News

"By now, the message should be clear: companies that collect sensitive consumer information have a responsibility to keep it secure," says FTC Chairman Deborah Platt Majoras in the FTC statement. The TJX settlement is the 20th case where the FTC has used its regulatory muscle to rein in security-deficient companies that don't protect sensitive consumer information.

Findings The FTC charges TJX failed to use reasonable and appropriate security measures to prevent unauthorized access to personal information on its computer networks.

The FTC's investigation shows an intruder exploited these failures and obtained tens of millions of credit and debit payment cards that consumers used at TJX's stores, as well as the personal information of approximately 455,000 consumers who returned merchandise to the stores.

Banks and credit unions say millions in fraudulent charges were made on the breached cards, and the institutions were forced as a result of the breach to cancel or reissue millions of cards. A class action suit by state banking associations on behalf of banks ended in banks recouping some of the loss in part of TJX's settlement with VISA.

The FTC charges that TJX:

  • Created an unnecessary risk to personal information by storing it on, and transmitting it between and within, its various computer networks in clear text;
  • Did not use readily available security measures to limit wireless access to its networks, thereby allowing an intruder to connect wirelessly to its networks without authorization;
  • Did not require network administrators and others to use strong passwords or to use different passwords to access different programs, computers, and networks;
  • Failed to use readily available security measures, such as firewalls, to limit access among its computers and the Internet; and
  • Failed to employ sufficient measures to detect and prevent unauthorized access to computer networks or to conduct security investigations, such as patching or updating anti-virus software.

The settlement with TJX requires it to establish and maintain a comprehensive security program reasonably designed to protect the security, confidentiality, and integrity of personal information it collects from or about consumers. The auditors will be required to certify that the companies' security programs meet or exceed the requirements of the settlement.

The FTC coordinated its investigation of TJX with 39 state Attorneys General, led by the office of the Massachusetts Attorney General.






Question
Question
?What are your thoughts on the TJX settlement? Too easy, too harsh, just right? What did you hope to see?
Here's your chance to be a part of the dialogue and engage with your peers! Just enter your comment to the right, click submit to send it to our Editor. All entries are posted anonymously.
Please login if you would like to post a comment on this question.

"To the person who thinks TJX was treated unfairly, What planet are you from, or on at this time? We are talking about people's credit lives and identities here, and TJX got off practically scott free with only $.50 per stolen transaction. It would cost the people who possibly had their identities stolen thousands of dollars, and years to fix.
"The FTC treated TJX unfairly. The FTC should rethink the law of credit card security, and stop treating merchant victims of organized crime as culprits.
"I am simply amazed at the judgement. There has to be some blue blood politics or heavy weight pushing for that kind of verdict. Also, for such a large business, what kind of Risk Management Program are they using inside, obviously nothing, but again, obviously they must have known they were doing nothing. Another instance of flawed justice and how the big guys win and the little ones pay. Waaaay too easy, my judgement (and shopping habits) will be harsher. I simply will now refuse to purchase at TJX. Double-standard. Why did Visa have to pay, but TJX doesn't? Where does all that money go anyway?
"I don't see any punishment at all for TJX. Pretty interesting timing as FTC Commissioner Majoras is "stepping down" on March 30th.
"Do I understand this correctly? TJX must as its punishment do what it was supposed to have done all along?
"Stricter regulation on companies that handle customer information. If banks are regulated,fined and closed for breach of security programs, why not retailers? Who were the hackers? I have not heard their names or their punishment. Problably inside job.
"TJX got off way too easy. Total negligence on their part; someone should have gone to jail for this. I have serious doubts that they were "hacked"...more likely an inside job.
"I'm curious if the hackers that committed this crime will endure comparable consequences. I don't hear anything about the ones that actaully commited the crime.
"The settlement is not the problem. The problem is weak data protection/privacy laws based on a vendor friendly "opt out" model. Better privacy laws will only occur when citizens demand them.

Topics of Interest

Office of Thrift Supervision

E-SIGN Act

ACH

Messaging

CA Bill 1386

Banking Today

Latest Tweets & Mentions

BankInfoSecurity.com Research

Recent Blog Entries

More Blogs Posts

Vendor Solutions

  • TraceSecurity TraceSecurity

    Solutions For:

    Identity Management, Regulatory Compliance Solution, ID-Certify, Security Training, User Awareness

  • McAfee, Inc. McAfee, Inc.

    Solutions For:

    Access Control, Application Security, Risk Management, Risk Analysis

More Vendor Solutions

Marketplace

Advanced Search
Browse Topics
close

Agencies

Anti-Money Laundering


Banking Today

Business Continuity & Disaster Recovery

Compliance

Emerging Technology

Fraud

Governance & Standards

Identity Theft

Leadership & Management


Physical Security

Risk Management

Training & Education