TJX Cos.could have prevented a massive security breachthat jeopardized 45.7 million credit and debit cards but failed to take necessary precautions including upgrading their encryption technology, Canada's privacy commissioner says.
A probe of the security breach found the Massachusetts-based parent company of Winners and HomeSense collected too much information, kept the data for too long and relied on weak WEP encryption technology, federal Privacy Commissioner Jennifer Stoddart told a newsconference in Montreal onTuesday.
"[TJX Cos.] got burned but so did a lot of other institutions and so did a lot of customers," saidAlberta Information and Privacy Commissioner Frank Work, who helped Stoddart investigate the case.
'I think we agree that the value of this report lies in informing businesses how not to get burned. The criminals are good and we just have to be better.' —Frank Work, privacy commissioner
"I think we agree that the value of this report lies in informing businesses how not to get burned. The criminals are good and we just have to be better."
Hackers gained access to information through 2 Miami stores
TJX Cos. officials said the hacker may have gained access to customers' credit card data and drivers' licence information — which was collected when customers returned purchases — through the wireless local area networks at two of its Marshalls stores in Miami, Fla. The data wasgatheredfrom mid-2005 through December 2006, according to the privacy commissioners' report.
"The security measures put in place relied on weak encryption technology. In particular the technology being used at the time was WEP and the finding was that TJX … should've moved to the WPA encryption protocol earlier," Work said. He noted that TJX Cos. disagreed with this finding.
Work acknowledged that many retailers collect driver's licence information as a means of tracking and dealing with fraudulent returns but he said the security systems at TJX Cos were not up to the task. About 330 Canadian drivers licences were compromised in the breach.
In response to the Canadian investigation, TJX has proposed introducing a new encryption system in which driver's licence numbers will be converted into another identifying number. The retailer will not store any driver's licence information in their systems.
Askhow information will be used, commissioner urges consumers
Stoddart said she hoped the case would also provoke consumers to push back and protect their personal information including phone numbers, addresses and driver's licence information.
"For consumers I think this is yet another example about how we have to be careful about our personal information," Stoddart said.
"We have to realize the potential for the misuse of this information, including our biometric information. Ask where this is going, ask who's doing what with your personal information."
Settlement reached in class-action lawsuit
The press conference follows an announcement on Friday that a settlement had been reached in a class-action lawsuit against TJX Cos. The deal, which has yet to be approved by the courts, offers affected consumers credit-monitoring services and vouchers of up to $60.
In January, TJX Cos. announced millions of credit card accounts were compromised after hackers broke into its computer systems. The company later revealed it learned of the breach in mid-December, but didn't disclose itto the public for a month.
Last week, a court found Florida man Irving Escobar guilty of leading an identity theft ring that used stolen credit card numbers taken in the TJX Cos. breach. Five others have pleaded guilty. Investigators said the Florida ringused stolen credit card numbers to make other counterfeit cards, but were notlikely responsible forhacking intothe TJX Cos. computer system.
Investigations by U.S. and U.K authorities into the security breach are continuing.