Investigators Blame Lax Security For T.J. Maxx Data Breach - InformationWeek
Software // Enterprise Applications
12:18 PM

Investigators Blame Lax Security For T.J. Maxx Data Breach

A report out of Canada also gives credence to widespread conjecture that hackers may have accessed the retailer's network through a wireless connection.

A Canadian investigation into the massive data breach at the parent company of T.J Maxx is pointing the finger at the retailer for not putting "adequate security safeguards" in place and holding on to too much customer information.

A joint investigation by two Canadian privacy commissioners also notes that the hacker very well may have accessed the TJX network through wireless local area networks at two of the company's U.S. stores. That piece of the puzzle comes after months and months of conjecture and widespread speculation about the break-in entry point.

"The company collected too much personal information, kept it too long, and relied on weak encryption technology to protect it, putting the privacy of millions of its customers at risk," said Privacy Commissioner of Canada Jennifer Stoddart. "Criminal groups actively target credit card numbers and other personal information. A database of millions of credit card numbers is a potential gold mine for fraudsters and it needs to be protected with solid security measures."

The investigation also reported that:

  • TJX failed to act quickly in moving from a weak encryption standard to a stronger one. The conversion process took two years to complete, during which time the breach occurred;
  • TJX did not meet its duty to monitor its computer systems vigorously. An adequate monitoring system should have alerted the company of an intrusion prior to December 2006.
  • The company didn't adhere to the requirements of the Payment Card Industry Data Security Standard, which was developed to address the growing problem of credit card data theft.

Earlier this year, TJX announced the loss of more than 45 million credit and debit card numbers that were stolen from its IT systems during an 18-month period. It's considered to be the largest customer data breach on record.

Canadian investigators pointed out that the breach involved millions of credit and debit card numbers, as well as other personal information, such as driver's license numbers that were collected when customers returned merchandise without receipts. Customer information was stolen from mid-2005 through December 2006, the investigation reported. Some stolen information involved transactions dating back to 2002.

TJX, which is the parent company of retailers like T.J. Maxx, Marshalls, and HomeGoods, reported in its second-quarter earnings in August that the company had to absorb a $118 million charge related to the massive security breach. For the second quarter, which ended July 28, the breach cost 25 cents per share -- 10 times more than the 2 cents to 3 cents company executives estimated just three months ago.

Earlier this week, TJX announced a proposed settlement that offers to reimburse people for the cost of replacing their driver's licenses, three years of credit monitoring, and a three-day, 15%-off sale.

"This case is a wake-up call for all retailers. They must collect only the personal information necessary for a transaction," said Frank Work, the Information and Privacy Commissioner of Alberta, in a written statement. "One positive outcome of this extremely unfortunate breach is that TJX worked cooperatively with us to develop a new process for dealing with un-receipted returns, which strikes an appropriate balance between privacy rights and a retailer's need to take steps to prevent fraud."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll