TJX Breach Could Have Been Avoided

A massive security breach at TJX Companies that led to the loss of personal information on millions of customers is a direct result of inadequate security safeguards and poor security planning, an investigation by Canadian privacy commissioners has found.

In a report released this week, Canada’s Privacy Commissioner, Jennifer Stoddart, blasted the parent of the TJ Maxx, Marshalls and A.J. Wright chain of stores, for failing to protect its customers. “The company collected too much personal information, kept it too long and relied on weak encryption technology to protect it—putting the privacy of millions of its customers at risk,” Stoddart said in releasing the report.

“The TJX breach is a dramatic example of how keeping large amounts of sensitive information—particularly information that is not required for business purposes—for a long time can be a serious liability.”

An investigation by Framingham, Mass.-based TJX earlier this year determined that an intruder may have initially gained access to customer information via a wireless local area network at two of its Marshalls stores in the Miami area. Customer information was subsequently stolen from mid-2005 through December 2006. In all some 45 million credit cards, drivers license numbers and payment cards belonging to individuals in the U.S., Canada, Europe and Asia were compromised. In Canada, TJX operates the Winners and HomeSense retail chains.

The investigation found the company did not have a good reason to collect drivers license information and other identification numbers when merchandise was returned without receipts. TJX stated it asked for this information to prevent fraud, but it then kept driver’s license numbers indefinitely.

Among other findings by the investigation:

  • TJX did not properly manage the risk of an intrusion against the amount of customer data it collected.
  • The company failed to act quickly in converting from a weak encryption standard to a stronger standard. The conversion took two years to complete, during which time the breach occurred.
  • An adequate monitoring system could have alerted the company to the intrusion prior to December 2006.
  • The company did not adhere to the requirements of the Payment Card Industry Data Security Standard, which was developed to address credit card data theft.
  • Related article: Retailers Rushing to Meet New Standard for Data Security”