Report slams TJX security as retailer offers data theft payout

Clothing retailer TJX, known as TK Maxx in the UK, has proposed an out-of-court settlement in the customer class actions it faces, while the Office of the Privacy Commissioner of Canada (OPC) has issued a damning report into its security practices.

The retailer, whose systems were hacked for the sensitive personal information of an estimated 45 million payment cards in Canada, the US, Puerto Rico, the UK and Ireland, faces legal action from a number of quarters, not least the banks who had to replace compromised cards and track down potentially fraudulent transactions.

But last Friday the company issued a statement offering US, Canadian and Puerto Rican customers compensation for losses incurred from the breach.

It has emerged that, in addition to credit and debit card details of customers, some driving licence information was also leaked as a result of the company's practice of taking the extra identification information to prevent fraud in the event a customer tried to make a return without a receipt.

It is now offering customers whose driving licence information was compromised up to three years free credit monitoring along with identity theft insurance and reimbursement for the cost of having documentation replaced.

Other customers who can prove they shopped at TJX stores located in the US, Canada and Puerto will be offered vouchers if they can prove they shopped in store at the times its databases were being hacked and incurred losses as a result.

TJX also said this compensation package puts the total cost of the breach so far at $150 million (£74.4 million).

But this week, the OPC may have given other parties the ammunition needed to push that figure up, as the damning report it issued on the breach said the breach was "foreseeable," as the retailer was ""retaining too much [personal] data for too long".

It said TJX and those of its subsidiaries, including TK Maxx in the UK, had breached the equivalent of the UK Data Protection Act regulation, known in Canada as the Information Protection and Electronic Documents Act (PIPEDA) and the Personal Information Protection Act (PIPA).

It said TJX and its Canada subsidiary's experience illustrates how maintaining custody of large amounts of sensitive information can be a liability, particularly if the information does not meet any legitimate purpose or if the retention period is longer than necessary.

The OPC said the retailer had no justifiable reason to collect driving licence and credit or debit card details or store them indefinitely for refund purposes.

It was also highly critical of the company's security procedures at the time, particularly at the two US stores where the data breach originated. The Wi-Fi networks infiltrated at these stores used weak wireless encryption protocol (WEP) security at the time.

The OPC said: "It appears that the intruder may have accessed the RTS [retail transaction switch] servers and client data due to a weak or inadequate encryption standard. WEP cannot be relied on as a secure system since the encryption is easily bypassed, and it is not adequate for protecting a network."

Although the Commissioner's office was satisfied with the actions taken since the breach by TJX to move to the more secure, Wi-Fi protected access (WPA) wireless security protocol in its stores and change data collection and retention polices centrally, it still said it did not meet the safeguard provisions of either PIPEDA or PIPA.

"We continue to contend that TJX did not have reasonable security arrangements in place at the time of the breach. Too much sensitive information was retained, and safeguards in place had inherent weaknesses. Robust security safeguards include a variety of elements, such as asset management, network segregation and active monitoring. We believe that TJX did not have as robust a system in place at the time as it could have had," it said.

TJX data breach timeline:

18 December 2006: TJX learned that suspicious software had been detected on a portion of its computer system.

22 December 2006: TJX notified various US law enforcement agencies of the suspected intrusion.

26 and 27 December 2006: TJX notified its contracting banks, credit card, debit card and cheque processing companies, of the suspected intrusion.

27 December 2006: TJX determined that customer information had also been accessed from one of its systems during the computer intrusion.

18 February 2007: TJX's investigation found evidence indicating that the intrusion may have been initiated earlier than previously reported and that additional customer information had possibly been accessed.

21 February 2007: TJX publicly announced additional findings regarding the timing and scope of the intrusion. It reported that the system was accessed by the intruder in July and September 2005, and from mid-May 2006 to mid-January 2007.

Email to a friend

Print this page

Social Bookmark this article: What is this?

Digg

Delicious

Reddit

StumbleUpon

Slashdot

Google

Facebook