Canadian privacy chief: TJX kept too much info; breach began in Miami
Before TJX revealed its servers had been breached by hackers, the retail giant collected and stored unnecessary and excessive amounts of personal information for too long and relied on outdated encryption technology to defend the data, according to a report released today by Canadian privacy officials.
The report, the result of an eight-month investigation by the Canadian government, also indicates hackers gained initial access into the central database through insecure wireless connections at two Marshalls locations in Miami. The city is the hometown of a 19-year-old man who recently pleaded guilty to leading a fraud ring that used stolen TJX data to make purchases throughout Florida.
The report, penned by the Office of the Privacy Commissioner of Canada, contradicts a widely accepted belief, first reported by The Wall Street Journal earlier this year, that the attackers made their initial intrusion through the wireless connection of a Minneapolis Marshalls.
"The information that we have from TJX is that the hackers gained entry into the Miami stores," Elizabeth Dunham, a director in the Office of the Privacy Commissioner, said on a conference call announcing the findings.
TJX also was in violation of the Payment Card Industry standard when thieves stole some 45.7 million credit card and driver's license numbers over a two-year period, the report said.
Frank Work, information and privacy commissioner of Alberta, whose office assisted in the investigation, said TJX – whose Canadian retailers include Winners and HomeSense – relied on weak encryption technology.
The company was running a wireless network protected by the Wired Equivalent Privacy (WEP) industry standard, which since has been superseded by the more robust Wi-Fi Protected Access (WPA) guidelines. Work said TJX disputes the time it shifted to the WPA protocol.
The report also found that TJX deployed poor monitoring technology, as the company was unable to track the footprints of the thieves who moved in and out of the system for two years.
Brian Cleary, vice president of marketing at enterprise access governance provider Aveksa, told SCMagazineUS.com that TJX appears to have lacked proper access control policies.
"I view it as a violation of most privileged access," said Cleary, who listened to the call. "How did they get that fine grain entitlement access and not have it revoked?"
The report's major recommendation to TJX was to implement a new cryptographic process in which drivers' license numbers – which had been collected from consumers returning items without a receipt – are converted into a "hash value," rendering the data unreadable.
A TJX spokeswoman did not return a call for comment, but Dunham said TJX has accepted all of the report's recommendations.
Meanwhile, Jennifer Stoddard, privacy commissioner of Canada, said businesses and consumers can defend themselves against data exposures.
"The message for retailers is to think carefully about how the use of personal information figures into your marketing and administration," she said. "Think about what information you're collecting, why you have to collect it, how long you're keeping it. How could you be vulnerable if there is a leak inside or outside your company?"
Consumers, she said, should be vigilant and ask questions of retailers.
"We have to realize the potential for the misuse of this personal information," Stoddard said. "Ask where this is going. Ask who's doing what with your personal information."