Home
World
Canada
- BC
- Calgary
- Edmonton
- Saskatchewan
- Manitoba
- Thunder Bay
- Sudbury
- Windsor
- Toronto
- Ottawa
- Montreal
- NB
- PEI
- NS
- NL
- North
Politics
Health
Arts & Entertainment
- Music
- Film
- Television
- Books
- Media
- Art & Design
- Theatre
Technology & Science
Money
Consumer Life
Diversions
Weather
Your Voice

TJX breach was preventable: privacy commissioner

Last Updated: Tuesday, September 25, 2007 | 1:25 PM ET

CBC News

TJX Cos. could have prevented a massive security breach that jeopardized 45.7 million credit and debit cards but failed to take necessary precautions including upgrading their encryption technology, Canada's privacy commissioner says.

A probe of the security breach found the Massachusetts-based parent company of Winners and HomeSense collected too much information, kept the data for too long and relied on weak WEP encryption technology, federal Privacy Commissioner Jennifer Stoddart told a news conference in Montreal on Tuesday.

"[TJX Cos.] got burned but so did a lot of other institutions and so did a lot of customers," said Alberta Information and Privacy Commissioner Frank Work, who helped Stoddart investigate the case.

'I think we agree that the value of this report lies in informing businesses how not to get burned. The criminals are good and we just have to be better.'—Frank Work, privacy commissioner

"I think we agree that the value of this report lies in informing businesses how not to get burned. The criminals are good and we just have to be better."

Hackers gained access to information through 2 Miami stores

TJX Cos. officials said the hacker may have gained access to customers' credit card data and drivers' licence information — which was collected when customers returned purchases — through the wireless local area networks at two of its Marshalls stores in Miami, Fla. The data was gathered from mid-2005 through December 2006, according to the privacy commissioners' report.

"The security measures put in place relied on weak encryption technology. In particular the technology being used at the time was WEP and the finding was that TJX … should've moved to the WPA encryption protocol earlier," Work said. He noted that TJX Cos. disagreed with this finding.

Work acknowledged that many retailers collect driver's licence information as a means of tracking and dealing with fraudulent returns but he said the security systems at TJX Cos were not up to the task. About 330 Canadian drivers licences were compromised in the breach.

In response to the Canadian investigation, TJX has proposed introducing a new encryption system in which driver's licence numbers will be converted into another identifying number. The retailer will not store any driver's licence information in their systems.

Ask how information will be used, commissioner urges consumers

Stoddart said she hoped the case would also provoke consumers to push back and protect their personal information including phone numbers, addresses and driver's licence information.

Canada's privacy commissioner said TJX Cos. failed to introduce adequate security measures to protect consumers' credit card information.
(CBC)

"For consumers I think this is yet another example about how we have to be careful about our personal information," Stoddart said.

"We have to realize the potential for the misuse of this information, including our biometric information. Ask where this is going, ask who's doing what with your personal information."

Settlement reached in class-action lawsuit

The press conference follows an announcement on Friday that a settlement had been reached in a class-action lawsuit against TJX Cos. The deal, which has yet to be approved by the courts, offers affected consumers credit-monitoring services and vouchers of up to $60.

In January, TJX Cos. announced millions of credit card accounts were compromised after hackers broke into its computer systems. The company later revealed it learned of the breach in mid-December, but didn't disclose it to the public for a month.

Last week, a court found Florida man Irving Escobar guilty of leading an identity theft ring that used stolen credit card numbers taken in the TJX Cos. breach. Five others have pleaded guilty. Investigators said the Florida ring used stolen credit card numbers to make other counterfeit cards, but were not likely responsible for hacking into the TJX Cos. computer system.

Investigations by U.S. and U.K authorities into the security breach are continuing.

With files from the Associated Press

This story is now closed to commenting.

Internal Links

Settlement reached in TJX class-action lawsuit
Florida police make arrests in TJX, Winners credit card theft
TJX probe finds security breach wider than first thought
TJX says hackers stole data from 45 million cards
Winners, HomeSense say hackers didn't get Canadian debit info
IN DEPTH: Identity theft

External Links

Privacy Commissioner of Canada

(Note: CBC does not endorse and is not responsible for the content of external sites - links will open in new window)

Consumer Headlines

Bullying is a public health issue: researcher: Bullying should be considered a public health problem and governments should adopt national strategies against it, says a Canadian professor who led a study of bullying in 40 countries.
Quebecer's Facebook photo fight a cautionary tale: A technology expert says recent incidents involving Facebook postings should serve as a reminder that nothing is truly private on the net.
Early Canadian stamps auction nets $3.2M US: A New York stamp collector auctioned parts of his collection in New York on Thursday, including a Canadian-issued stamp that is one of the world's rarest.
Fake hairstyling irons pop up in Regina: Hundreds of knock-off hairstyling irons were seized Friday morning by RCMP acting on a hot tip.
Susan Boyle album racks up record pre-orders online: Susan Boyle's transformation from dowdy church volunteer to TV singing sensation has hit a new high, with Amazon.com announcing that Boyle's forthcoming album has become its biggest global pre-order in history.

Consumer Life Features

More Features

Top CBCNews.ca Headlines

Headlines

Child dies after fall at Pearson airport: A 15-month-old toddler has died after falling approximately 15 metres at Toronto's Pearson International Airport.
Iranian-Canadian journalist talks of prison ordeal: Iranian-Canadian journalist Maziar Bahari says he was regularly beaten and threatened with execution while imprisoned in Iran for 118 days.
104 dead in China coal mine blast: The death toll from a Saturday mine explosion in China is now up to at least 104, and grieving family members on Monday demanded answers from officials.
Afghan prisoner transfers halted 'more than 1 time': Canadian officials have halted the transfer of prisoners to Afghanistan's intelligence service "more than one time," because of the possibility of torture, Canada's chief of defence staff said Sunday.
Flood-hit N. England residents return home: Residents of flood-battered northern England are struggling back to work, school and homes after swollen rivers inundated roads and caused several bridges to collapse.