Framingham discounter TJX Cos. failed to keep adequate security safeguards to protect customer information from hackers who stole millions of credit and debit card numbers after intercepting wireless transactions at two Miami area Marshalls stores
Canadian privacy officials conducted an eight-month investigation into the TJX breach – the largest loss of personal data ever reported – concluded that the merchant violated federal and local privacy laws in Canada by gathering vast amounts of consumer information and failing to appropriately monitor or protect the data.
Thieves stole at least 45.7 million credit and debit card numbers, along with hundreds of thousands of driver’s license numbers, dating to Dec. 31, 2002.
| Findings from the investigation by Canada’s Privacy Commissioner against TJX in Canada |
||||
| # | What is the problem – TJX failed to: | description | ||
| 1 | manage the risk of a breach | robust security safeguards such as asset management, network segregation were not used properly | ||
| 2 | encrypt data strongly enough, | its stores (including all WMI stores) did not use WPA encryption technology when the breach happened – TJX relied on a weak encryption protocol and failed to convert to a stronger encryption standard within a reasonable period of time.. | ||
| 3 | monitor its systems well enough, | safeguards in place had inherent weaknesses and monitoring was inadequate – in fact the privacy commissioner’s report indicates that TJX did not have as robust a system in place at the time as it could have had. | ||
| 4 | act in accordance with payment card industry PCI) standardsIn the U.S. card issuers are taking TJX to court exactly because of this – we reported this – Judge starts spelling out the costs to TJX | Payment Card Industry Data Security Standard (PCI DSS) version 1.1, was released September 2006 – prior to that, PCI DSS version 1.0 was released in December 2004. The PCI DSS was developed and endorsed by the Payment Card Industry (PCI) Security Standards Council. PCI DSS is based on 12 principles, that cover such aspects as security management, policies, procedures, network architecture, software design and other critical protective measures such as monitoring and testing of networks – several of these seem to have been violated – in the U.S.. and requires several requirments of this standard that must be met by companies accepting credit cards for payment were violated by TJX |
||
| 5 | it collected too much information | retaining years-old customer data including driver’s license numbers collected when customers returned merchandise without receipts – some of the stolen information was from transactions concluded as long ago as 2002 – data that should have been quickly purged from TJX’s data systems, thereby putting the privacy of millions of its customers at risk |
||
The investigation was carried out by the privacy commissioner and the privacy commissioner of Alberta, a Canadian province with different privacy laws to the national laws. They investigated TJX and its subsidiaries Winners Merchant International and HomeSense, the shops it operates in Canada.
CONCLUSION
Even though it violated Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) as well as similar provincial legislation in Alberta, TJX isn’t about to face any fines.
Jennifer Stoddart – Canada’s Privacy Commissioner and Frank Work, the Information and Privacy Commissioner of Alberta, found TJX violated Canadian privacy law and failed to meet retail industry standards for protecting credit card data.
The report also indicates that TJX cooperated with the investigation, making the commissioners decide not to pursue a case with Canada’s federal courts, which have the power to levy damages.
Most IT managers reading this report will probably close it with a shrug. Who couldn’t suggest tougher encryption to protect data? The privacy experts need to go beyond surface advice and help technology professionals figure out their place in safeguarding information. Unfortunately, it appears that the investigators lacked the technical savvy and insights to come up with a report that is really putting the finger on the sore spots.
Imagine a privacy commissioner bold enough to suggest additional powers for IT managers under PIPEDA that would give their ideas greater weight in the decision-making processes concerning consumer data. As the legislation exists today, companies like TJX will likely ignore PIPEDA when a breach like this occurs, because it is just one Act among many. There is little real accountability and few consequences, apart from a few more headlines
See also:
Canadians have also something titled the Privacy Act – PEPIDA’S public sector sister legislation.
TIDBIT
The federal privacy commissioner is an officer of the Canadian Parliament and has the power to conduct investigations, compel people to give evidence, and take action through the courts based on Canada’s privacy laws.
SUBSCRIPTION
To stay informed about new trends and threats, why not personalize your subscription to some of our news via e-mail, daily alert, newsletter and/or 
RSS feed that can make a real difference in your work:
- advisory, zero-day exploits and regulatory intell
Stay better protected.
No Responses to “research that matters – Canadian officials fault TJX safeguards”
There are no comments yet...Kick things off by filling out the form below.