TJX Report: Wake-up Call for All Institutions
The risk of a breach of sensitive personal information held by TJX Companies Inc. was foreseeable, but the company failed to put in place adequate security safeguards, according to the report released this week by Canada’s Office of the Privacy Commissioner of Canada (OPC) and the Office of the Information and Privacy Commissioner of Alberta (AB OIPC).
“The company collected too much personal information, kept it too long and relied on weak encryption technology to protect it – putting the privacy of millions of its customers at risk,” says Privacy Commissioner of Canada Jennifer Stoddart.
Of the more than 45 million consumers affected by the TJX data breach, announced in January, many of those consumers affected reside north of our borders in Canada, shopping at the Winners and HomeSense stores. So, now the OPC and the AB OIPC have released a much-publicized report on their joint investigation of the TJX parent company and its Canadian-based subsidiary – retailer Winners Merchant International. Read Report: Canadian Report
“Criminal groups actively target credit card numbers and other personal information,” says Stoddart. “A database of millions of credit card numbers is a potential goldmine for fraudsters, and it needs to be protected with solid security measures.
“The TJX breach is a dramatic example of how keeping large amounts of sensitive information – particularly information that is not required for business purposes – for a long time can be a serious liability.”
The report concisely lays bare the inadequacies and flawed security that led up to the breach. One statement made early in the report sums it up: “One of the best safeguards a company can have is not to collect and retain unnecessary personal information. This case serves as a reminder to all organizations operating in Canada to carefully consider their purposes for collecting and retaining personal information and to safeguard accordingly.”
A “Wake-up Call”
The joint investigation was launched after TJX disclosed in January that its computer system had been breached. This breach involved more than 45 million credit and debit card numbers, as well as other personal information such as driver’s license numbers collected when customers returned merchandise without receipts.
“This case is a wake-up call for all retailers. They must collect only the personal information necessary for a transaction,” says Frank Work, the Information and Privacy Commissioner of Alberta.
The report also hits TJX for not only collecting more customer information than was needed for completing a transaction, but also for failing to take adequate measures to protect the collected data. The commissioners fault TJX for not having a monitoring system in place that could detect the breach earlier and for failing to implement the Payment Card Industry data security standards mandated by major credit card companies. Banks and credit unions here in the U.S. have filed lawsuits against TJX as a result of this breach (see related story: New England Banks File Class Action Suit Against Retailer TJX ).
The investigation concludes that TJX did not comply with the federal private sector privacy law, the Personal Information Protection and Electronic Documents Act PIPEDA), and Alberta’s Personal Information Protection Act (PIPA). The investigation finds:
- TJX did not properly manage the risk of an intrusion against the amount of customer data that it collected.
- The company failed to act quickly in converting from a weak encryption standard (Wireless Encryption Protocol or WEP) to a stronger standard (Wi-Fi Protected Access or WPA/WPA2). The conversion process took two years to complete, during which time the breach occurred.
- TJX did not meet its duty to monitor its computer systems vigorously. An adequate monitoring system should have alerted the company of an intrusion prior to December 2006.
- The company did not adhere to the requirements of the Payment Card Industry Data Security Standard, which was developed to address the growing problem of credit card data theft.
The investigation also finds the company did not have a reasonable purpose to collect driver’s license and other identification numbers such as the Social Insurance Number (Canada’s version of the Social Security Number) when customers returned merchandise with no receipt. TJX stated it asked for this information as part of a fraud prevention process to identify people frequently returning merchandise. TJX retained the driver’s license numbers – an extremely valuable piece of information for identity thieves – indefinitely. TJX Response
In response to the reports, TJX proposes a new process to address fraudulent returns. Store staff will continue to ask for identification, however, information such as a driver’s license number will instantly be converted into a unique identifying number when it is keyed into the point-of-sale system. This will allow the company to track unreceipted merchandise returns without keeping original driver’s license numbers in its system.
The report lists a number of steps for TJX to take to improve its security measures and privacy practices. TJX said it has agreed to follow these recommendations.
Stoddart says the Winners/HomeSense breach illustrates the need to get security right in the first place to avoid the potentially huge costs of mopping up after a security breach. Some have already estimated the cost to TJX of this breach at $150 million.