Investigators Blame Lax Security For T.J. Maxx Data Breach - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Enterprise Applications

Investigators Blame Lax Security For T.J. Maxx Data Breach

A report out of Canada also gives credence to widespread conjecture that hackers may have accessed the retailer's network through a wireless connection.

A Canadian investigation into the massive data breach at the parent company of T.J Maxx is pointing the finger at the retailer for not putting "adequate security safeguards" in place and holding on to too much customer information.

A joint investigation by two Canadian privacy commissioners also notes that the hacker very well may have accessed the TJX network through wireless local area networks at two of the company's U.S. stores. That piece of the puzzle comes after months and months of conjecture and widespread speculation about the break-in entry point.

"The company collected too much personal information, kept it too long, and relied on weak encryption technology to protect it, putting the privacy of millions of its customers at risk," said Privacy Commissioner of Canada Jennifer Stoddart. "Criminal groups actively target credit card numbers and other personal information. A database of millions of credit card numbers is a potential gold mine for fraudsters and it needs to be protected with solid security measures."

The investigation also reported that:

  • TJX failed to act quickly in moving from a weak encryption standard to a stronger one. The conversion process took two years to complete, during which time the breach occurred;
  • TJX did not meet its duty to monitor its computer systems vigorously. An adequate monitoring system should have alerted the company of an intrusion prior to December 2006.
  • The company didn't adhere to the requirements of the Payment Card Industry Data Security Standard, which was developed to address the growing problem of credit card data theft.

Earlier this year, TJX announced the loss of more than 45 million credit and debit card numbers that were stolen from its IT systems during an 18-month period. It's considered to be the largest customer data breach on record.

Canadian investigators pointed out that the breach involved millions of credit and debit card numbers, as well as other personal information, such as driver's license numbers that were collected when customers returned merchandise without receipts. Customer information was stolen from mid-2005 through December 2006, the investigation reported. Some stolen information involved transactions dating back to 2002.

TJX, which is the parent company of retailers like T.J. Maxx, Marshalls, and HomeGoods, reported in its second-quarter earnings in August that the company had to absorb a $118 million charge related to the massive security breach. For the second quarter, which ended July 28, the breach cost 25 cents per share -- 10 times more than the 2 cents to 3 cents company executives estimated just three months ago.

Earlier this week, TJX announced a proposed settlement that offers to reimburse people for the cost of replacing their driver's licenses, three years of credit monitoring, and a three-day, 15%-off sale.

"This case is a wake-up call for all retailers. They must collect only the personal information necessary for a transaction," said Frank Work, the Information and Privacy Commissioner of Alberta, in a written statement. "One positive outcome of this extremely unfortunate breach is that TJX worked cooperatively with us to develop a new process for dealing with un-receipted returns, which strikes an appropriate balance between privacy rights and a retailer's need to take steps to prevent fraud."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
News
Top 10 Data and Analytics Trends for 2021
Jessica Davis, Senior Editor, Enterprise Apps,  11/13/2020
Commentary
Where Cloud Spending Might Grow in 2021 and Post-Pandemic
Joao-Pierre S. Ruth, Senior Writer,  11/19/2020
Slideshows
The Ever-Expanding List of C-Level Technology Positions
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/10/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Why Chatbots Are So Popular Right Now
In this IT Trend Report, you will learn more about why chatbots are gaining traction within businesses, particularly while a pandemic is impacting the world.
Slideshows
Flash Poll