Canadian probe finds TJX breach followed wireless hack

Privacy commissioners blame company for keeping too much customer data

After months of speculation about how exactly the intrusion at TJX Companies happened, officials now know.

The intruders who broke into TJX's networks and stole data involving more than 45 million credit card and debit card numbers first gained access to the company's systems via poorly protected wireless local-area networks -- as some have previously theorized. The break-ins happened at two Marshalls stores in Miami.

The stolen information was accessed from the Retail Transaction Switch (RTS) servers that were responsible for processing and storing information related to customer transactions at TJX stores. The data compromised by the breach included driver's license numbers and other personally identifiable information related to payment-card and merchandise return transactions for which a receipt was not present.

However, deletion technology used by the intruders has so far made it impossible for TJX to determine exactly the contents of most of the files created and downloaded by the intruders.

These and other details were released today following a joint investigation into the TJX data breach conducted by Canada's national privacy commissioner and the privacy commissioner of Alberta.

In a 20-page report, the commissioners lay the blame squarely on TJX for not only collecting more customer information than was needed for completing a transaction, but also for failing to take adequate measures to protect the collected data. The commissioners also faulted TJX for not having a monitoring system in place that could detect the breach earlier and for failing to implement the Payment Card Industry data security standards mandated by major credit card companies.

"The finding was that there was too much information collected by the retailer" -- in particular, driver's license information, Frank Work, the information and privacy commissioner of Alberta, said at a news conference announcing the findings this morning. Customer data was also kept too long -- in some cases indefinitely, Work said.

In addition, "the final finding was that the security measures put in place relied on weak encryption technology, in particular WEP [Wired Equivalent Privacy]," said Canada's privacy commissioner, Jennifer Stoddart. "The finding was that TJX should have moved to WPA [Wi-fi Protected Access] earlier."

Work noted that TJX disagreed with the commissioner's findings that it should have moved to WPA earlier. "But as the regulators, we are entitled to make that finding, and that's the finding we made. We are not interested in beating up on TJX. They got burned. But so did a lot of other institutions and so did a lot of customers. The value of this report lies in informing industry how not to get burned."

The Canadian report comes about eight months after TJX disclosed that unknown intruders had gained access to its payment systems and compromised data belonging to millions of customers in several countries, including Canada. Since then, there has been speculation that the breach was the result of a wireless hack into one of the company's U.S.-based stores. A story earlier this year by The Wall Street Journal quoted investigators as saying the TJX intruders had gained access via a wireless LAN break-in at a Marshalls in Minnesota. The report released today in Canada is the first to officially spell out how the breach occurred, and where.

The Canadian privacy commissioners said they have asked TJX to stop collecting driver's license information and other forms of identifying data during merchandise returns and to purge such information from its databases. They also instructed TJX to notify customers about the purpose for -- and potential disclosure of -- all personal information collected once it implements a new return policy.

In response, TJX said it needs the driver's license data as part of a fraud prevention process to identify people who frequently return merchandise. Going forward, the company will continue to ask for identification, but in Canada it has agreed to implement a process under which driver's license numbers will be automatically hashed into a unique identifying number when keyed into a point-of-sale system.

The TJX data breach is the largest ever disclosed. It has already cost the company over $150 million. Yesterday, the company announced a proposed settlement of consumer class action lawsuits that have been initiated against it. The proposed settlement includes credit and ID theft monitoring services for up to three years for individuals whose driver's license numbers were compromised, shopping vouchers for those whose card information might have been stolen, and a one-time three-day event in 2008 during which the company will sell items at a 15 percent discount in all of its stores.

The Canadian investigation shows that the TJX breach has moved to a new level, said Deepak Taneja, CEO of Aveska, a provider of access control technologies. "It has now become an international incident," with Canada's privacy commissioners saying that the company failed to follow that country's data protection laws. "I wouldn't be surprised if someone in Europe came and said they failed to comply with European compliance requirements."

Regardless of how the intruders accessed the TJX network, what is more important is the fact that they remained undetected for two years, Taneja added. "To me the largest issue is security governance. This was just poor security governance" on TJX's part.

Despite the negative publicity generated by the breach, TJX so far has escaped relatively unscathed in terms of customer confidence. Just 22 percent of TJX customers in an August 2007 survey by analyst firm Gartner said they're much less inclined to shop at TJX stores. "We believe many of them will likely change their minds as soon as they see an attractive TJX sale," Gartner analyst Avivah Litan said. "Most TJX customers clearly care more about discounts than about card security, because they know banks will usually cover potential losses if a card is stolen and used."

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?