Investigators Blame Lax Security For T.J. Maxx Data Breach

A report out of Canada also gives credence to widespread conjecture that hackers may have accessed the retailer's network through a wireless connection.

Sharon Gaudin, Contributor

September 26, 2007

3 Min Read
InformationWeek logo in a gray background | InformationWeek

A Canadian investigation into the massive data breach at the parent company of T.J Maxx is pointing the finger at the retailer for not putting "adequate security safeguards" in place and holding on to too much customer information.

A joint investigation by two Canadian privacy commissioners also notes that the hacker very well may have accessed the TJX network through wireless local area networks at two of the company's U.S. stores. That piece of the puzzle comes after months and months of conjecture and widespread speculation about the break-in entry point.

"The company collected too much personal information, kept it too long, and relied on weak encryption technology to protect it, putting the privacy of millions of its customers at risk," said Privacy Commissioner of Canada Jennifer Stoddart. "Criminal groups actively target credit card numbers and other personal information. A database of millions of credit card numbers is a potential gold mine for fraudsters and it needs to be protected with solid security measures."

The investigation also reported that:

  • TJX failed to act quickly in moving from a weak encryption standard to a stronger one. The conversion process took two years to complete, during which time the breach occurred;

  • TJX did not meet its duty to monitor its computer systems vigorously. An adequate monitoring system should have alerted the company of an intrusion prior to December 2006.

  • The company didn't adhere to the requirements of the Payment Card Industry Data Security Standard, which was developed to address the growing problem of credit card data theft.

Earlier this year, TJX announced the loss of more than 45 million credit and debit card numbers that were stolen from its IT systems during an 18-month period. It's considered to be the largest customer data breach on record.

Canadian investigators pointed out that the breach involved millions of credit and debit card numbers, as well as other personal information, such as driver's license numbers that were collected when customers returned merchandise without receipts. Customer information was stolen from mid-2005 through December 2006, the investigation reported. Some stolen information involved transactions dating back to 2002.

TJX, which is the parent company of retailers like T.J. Maxx, Marshalls, and HomeGoods, reported in its second-quarter earnings in August that the company had to absorb a $118 million charge related to the massive security breach. For the second quarter, which ended July 28, the breach cost 25 cents per share -- 10 times more than the 2 cents to 3 cents company executives estimated just three months ago.

Earlier this week, TJX announced a proposed settlement that offers to reimburse people for the cost of replacing their driver's licenses, three years of credit monitoring, and a three-day, 15%-off sale.

"This case is a wake-up call for all retailers. They must collect only the personal information necessary for a transaction," said Frank Work, the Information and Privacy Commissioner of Alberta, in a written statement. "One positive outcome of this extremely unfortunate breach is that TJX worked cooperatively with us to develop a new process for dealing with un-receipted returns, which strikes an appropriate balance between privacy rights and a retailer's need to take steps to prevent fraud."

About the Author

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights