Ads by TechWords

See your link here
Receive the latest technology news and information.
Security
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
Cloud Computing
View all newsletters




Privacy Policy
 

Canadian probe finds TJX breach followed wireless hack

Privacy commissioners blame company for keeping too much customer data

September 25, 2007 12:00 PM ET

Computerworld - After months of speculation about how exactly the intrusion at TJX Companies Inc. happened, officials now know what happened.

The intruders who broke into TJX's networks and stole data involving more than 45 million credit card and debit card numbers first gained access to the company's systems via poorly protected wireless local-area networks -- as some have previously theorized. The break-ins happened at two Marshalls stores in Miami.

The stolen information was accessed from the Retail Transaction Switch (RTS) servers that were responsible for processing and storing information related to customer transactions at TJX stores. The data compromised by the breach included driver's license numbers and other personally identifiable information related to payment-card and merchandise return transactions for which a receipt was not present.

However, deletion technology used by the intruders has so far made it impossible for TJX to determine exactly the contents of most of the files created and downloaded by the intruders.

These and other details were released today following a joint investigation into the TJX data breach conducted by Canada's national privacy commissioner and the privacy commissioner of Alberta.

In a 20-page report (download PDF), the commissioners lay the blame squarely on TJX for not only collecting more customer information than was needed for completing a transaction, but also for failing to take adequate measures to protect the collected data. The commissioners also faulted TJX for not having a monitoring system in place that could detect the breach earlier and for failing to implement the Payment Card Industry data security standards mandated by major credit card companies.

"The finding was that there was too much information collected by the retailer" -- in particular, driver's license information, Frank Work, the information and privacy commissioner of Alberta, said at a news conference announcing the findings this morning. Customer data was also kept too long -- in some cases indefinitely, Work said.

In addition, "the final finding was that the security measures put in place relied on weak encryption technology, in particular WEP [Wired Equivalent Privacy]," said Canada's privacy commissioner, Jennifer Stoddart. "The finding was that TJX should have moved to WPA [Wi-fi Protected Access] earlier."

Work noted that TJX disagreed with the commissioner's findings that it should have moved to WPA earlier. "But as the regulators, we are entitled to make that finding, and that's the finding we made. We are not interested in beating up on TJX. They got burned. But so did a lot of other institutions and so did a lot of customers. The value of this report lies in informing industry how not to get burned."



Jump to comments

TJX

Additional Resources

WHITE PAPER
Approximately 60 percent of data migration projects overrun time or budget, while some fail completely. Download this white paper, "Enhancing Your Chance for Successful Data Migration," to learn the critical steps you need to take to execute a data migration project with minimum cost and risk to your business.
WHITE PAPER
Read the Gartner research note to learn why the TCO of a server-based computing deployment used to deliver all applications to users is around 50% lower than that of an unmanaged desktop deployment.
WHITE PAPER
Economic downturns have a tendency to accelerate emerging technologies, boost the adoption of effective solutions, and punish solutions that are not cost competitive or that are out of synch with industry trends. This IDC White Paper presents the results of an IDC survey of 330 companies in Western Europe, Asia/Pacific and the Americas that measures the receptiveness to Linux and takes into consideration changing views driven by the disruptive economic environment that businesses face today.

What People Are Saying

White Papers & Webcasts

Share our Strength
Download Now  

Managing Secure File Transfer to Save Time, Money and IT Resources
Learn how companies are using innovative technology to overcome these challenges and improve user productivity by offloading e-mail attachments and replacing FTP with...

Security Convergence Equals Network Security Cost Savings
Listen to IBM Internet Security Systems' take on network security convergence.

Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...