TJX breach was preventable: privacy commissioner
Last Updated: Tuesday, September 25, 2007 | 1:25 PM ET
CBC News
Related
Internal Links
- Settlement reached in TJX class-action lawsuit
- Florida police make arrests in TJX, Winners credit card theft
- TJX probe finds security breach wider than first thought
- TJX says hackers stole data from 45 million cards
- Winners, HomeSense say hackers didn't get Canadian debit info
- IN DEPTH: Identity theft
External Links
(Note: CBC does not endorse and is not responsible for the content of external sites - links will open in new window)
TJX Cos. could have prevented a massive security breach that jeopardized 45.7 million credit and debit cards but failed to take necessary precautions including upgrading their encryption technology, Canada's privacy commissioner says.
A probe of the security breach found the Massachusetts-based parent company of Winners and HomeSense collected too much information, kept the data for too long and relied on weak WEP encryption technology, federal Privacy Commissioner Jennifer Stoddart told a news conference in Montreal on Tuesday.
"[TJX Cos.] got burned but so did a lot of other institutions and so did a lot of customers," said Alberta Information and Privacy Commissioner Frank Work, who helped Stoddart investigate the case.
'I think we agree that the value of this report lies in informing businesses how not to get burned. The criminals are good and we just have to be better.'—Frank Work, privacy commissioner
"I think we agree that the value of this report lies in informing businesses how not to get burned. The criminals are good and we just have to be better."
Hackers gained access to information through 2 Miami stores
TJX Cos. officials said the hacker may have gained access to customers' credit card data and drivers' licence information — which was collected when customers returned purchases — through the wireless local area networks at two of its Marshalls stores in Miami, Fla. The data was gathered from mid-2005 through December 2006, according to the privacy commissioners' report.
"The security measures put in place relied on weak encryption technology. In particular the technology being used at the time was WEP and the finding was that TJX … should've moved to the WPA encryption protocol earlier," Work said. He noted that TJX Cos. disagreed with this finding.
Work acknowledged that many retailers collect driver's licence information as a means of tracking and dealing with fraudulent returns but he said the security systems at TJX Cos were not up to the task. About 330 Canadian drivers licences were compromised in the breach.
In response to the Canadian investigation, TJX has proposed introducing a new encryption system in which driver's licence numbers will be converted into another identifying number. The retailer will not store any driver's licence information in their systems.
Ask how information will be used, commissioner urges consumers
Stoddart said she hoped the case would also provoke consumers to push back and protect their personal information including phone numbers, addresses and driver's licence information.
Canada's privacy commissioner said TJX Cos. failed to introduce adequate security measures to protect consumers' credit card information.
(CBC)
"For consumers I think this is yet another example about how we have to be careful about our personal information," Stoddart said.
"We have to realize the potential for the misuse of this information, including our biometric information. Ask where this is going, ask who's doing what with your personal information."
Settlement reached in class-action lawsuit
The press conference follows an announcement on Friday that a settlement had been reached in a class-action lawsuit against TJX Cos. The deal, which has yet to be approved by the courts, offers affected consumers credit-monitoring services and vouchers of up to $60.
In January, TJX Cos. announced millions of credit card accounts were compromised after hackers broke into its computer systems. The company later revealed it learned of the breach in mid-December, but didn't disclose it to the public for a month.
Last week, a court found Florida man Irving Escobar guilty of leading an identity theft ring that used stolen credit card numbers taken in the TJX Cos. breach. Five others have pleaded guilty. Investigators said the Florida ring used stolen credit card numbers to make other counterfeit cards, but were not likely responsible for hacking into the TJX Cos. computer system.
Investigations by U.S. and U.K authorities into the security breach are continuing.
With files from the Associated PressShare Tools
Top News Headlines
- Grammys to honour Whitney Houston
- Jennifer Hudson will pay tribute to her idol, Whitney Houston, at Sunday's Grammy Awards, as the annual celebration of the best in music has turned sombre upon news of the singer's death. more »
- Greek parliament debates over bailout vote amid protests
- Scuffles have erupted outside the Greek parliament as tens of thousands of protesters gather there while lawmakers debate legislation introducing severe austerity measures necessary for a crucial bailout to stave off bankruptcy. more »
- NDP leadership hopefuls set for Quebec debate
- Federal NDP leadership candidates were preparing Sunday for an afternoon debate in Quebec City. more »
- Whitney Houston mourned en masse online
- The online sphere exploded when news of singer Whitney Houston's death broke. Fans, admirers and peers in the music industry joined in a chorus of grief and sympathy. more »
- Pop queen Whitney Houston dies at 48
- Whitney Houston 'happy' in days before death
- Whitney Houston's death sparks chorus of grief
- Quebec man charged with killing mother, 2 nieces
- Carleton University confirms death of student
- Adults-only trade show cancelled in B.C. Bible belt
- Ultimate Tazer Ball combines shock and soccer
- Attawapiskat receives first modular home
- Gadhafi Mexico plot riles SNC-Lavalin, insiders say
