Study: TJX Companies Inc. Failed To Place Adequate Security Safeguards
The risk of a breach of sensitive personal information held by TJX Companies Inc., the parent company of Winners and HomeSense stores, was foreseeable, but the company failed to put in place adequate security safeguards, an investigation by the Privacy Commissioners of Canada and Alberta has found.
"The company collected too much personal information, kept it too long and relied on weak encryption technology to protect it -- putting the privacy of millions of its customers at risk," said Privacy Commissioner of Canada Jennifer Stoddart.
"Criminal groups actively target credit card numbers and other personal information," Stoddart said. "A database of millions of credit card numbers is a potential goldmine for fraudsters and it needs to be protected with solid security measures.
"The TJX breach is a dramatic example of how keeping large amounts of sensitive information -- particularly information that is not required for business purposes -- for a long time can be a serious liability."
The joint investigation by the two commissioners was launched after TJX disclosed in January that its computer system had been breached. This breach involved millions of credit and debit card numbers as well as other personal information, such as driver's license numbers collected when customers returned merchandise without receipts.
"This case is a wake-up call for all retailers. They must collect only the personal information necessary for a transaction," said Frank Work, the Information and Privacy Commissioner of Alberta.
"One positive outcome of this extremely unfortunate breach is that TJX worked cooperatively with us to develop a new process for dealing with unreceipted returns which strikes an appropriate balance between privacy rights and a retailer's need to take steps to prevent fraud."
TJX believes the intruder may have initially gained access to customer information via the wireless local area networks at two of its US stores. Customer information was stolen from mid-2005 through December 2006, a TJX investigation found. Some stolen information involved transactions dating back to 2002.
Stolen information included credit card account data as well as data collected when customers returned merchandise without a receipt (drivers' license numbers, names and addresses).
The investigation found:
TJX did not properly manage the risk of an intrusion against the amount of customer data that it collected.
The company failed to act quickly in converting from a weak encryption standard to a stronger standard. The conversion process took two years to complete, during which time the breach occurred.
TJX did not meet its duty to monitor its computer systems vigorously. An adequate monitoring system should have alerted the company of an intrusion prior to December 2006.
The company did not adhere to the requirements of the Payment Card Industry Data Security Standard, which was developed to address the growing problem of credit card data theft.
The investigation also found the company did not have a reasonable purpose to collect driver's license and other identification numbers when unreceipted merchandise was returned. TJX stated it asked for this information as part of a fraud prevention process to identify people frequently returning merchandise. It retained the driver's license numbers -- an extremely valuable piece of information for identity thieves -- indefinitely.
In response to these concerns, TJX proposed a new process to address fraudulent returns. Store staff will continue to ask for identification, however, information such as a driver's license number will instantly be converted into a unique identifying number when it is keyed into the point-of-sale system. This will allow the company to track unreceipted merchandise returns without keeping original driver's license numbers in its system.