Just days after TJX Companies reached a tentative settlement with millions of consumers who had their credit or debit card data stolen, the Canadian government issued a report Tuesday of its investigation into the company’s security troubles that lead to the breach in the first place.
Their conclusion? According to privacy commissioners for Canada and the province of Alberta, the security breach, which compromised the financial data of an estimated 45 million customers in the U.S., Canada, Puerto Rico, the U.K. and Ireland, was foreseeable and the company failed to put in place adequate security safeguards.
The breaches occurred from mid-2005 through December 2006, beginning apparently with crackers hacking into wireless networks at two U.S. stores. Framingham, Mass.-based TJX is the parent company of T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S., as well as Winners and HomeSense in Canada.
The Canadian report found that the company had failed to upgrade some wireless networks from the relatively weak Wired Equivalent Privacy (WEP) to the stronger Wi-Fi Protected Access (WAP) protocol in a timely fashion – creating the opportunity for outside intrusion.
What helped to make it the largest data breach ever, however, was that TJX had collected so much data on its customers that was too easily accessible.
“The company collected too much personal information, kept it too long and relied on weak encryption technology to protect it – putting the privacy of millions of its customers at risk,” Jennifer Stoddart, Privacy Commissioner of Canada, said in a statement.
TJX, which owns more than 2,200 stores in North America, first notified the public about the breaches in mid-January 2007. The real extent of the penetration and theft wasn’t known until March, however.
“This breach involved millions of credit and debit card numbers as well as other personal information, such as driver’s license numbers collected when customers returned merchandise without receipts,” according to the Canadian government’s statement.
Tuesday’s report also concluded that TJX violated Canadian privacy laws.
“This case is a wake-up call for all retailers. They must collect only the personal information necessary for a transaction,” Frank Work, Information and Privacy Commissioner of Alberta, said in a statement.
However, the problems that lead to the breaches at TJX may be just the tip of the iceberg, and not just for retail companies, according to one observer.
“Organizations really need to think about security governance in more depth,” Brian Cleary, vice president of marketing at enterprise access governance vendor Aveksa in Waltham, Mass. told InternetNews.com. “[What’s more], these are becoming international issues because of large multinational companies around the globe,” Cleary added.
The Canadian report concurs, and issued a dire warning for the long-term costs of such data breaches.
“Organizations need to ensure they have multiple layers of security and that they keep up with advances in security technologies. The cost of failing to do this can be enormous – not only to a company, but to its customers,” commissioner Stoddart’s statement said.
Meanwhile, on September 21, TJX announced a proposed settlement with customers. Among other things, it will provide affected customers with three years of free credit monitoring and identity theft insurance coverage. That settlement still needs to be approved by the courts.
Tuesday’s report said that TJX has been cooperative in enacting new security procedures that are in line with Canadian privacy laws.
One question still haunts Aveska’s Cleary, however: Why weren’t the data breaches identified for a year and a half?
“The thing that really concerns me is how long they [intruders] had access,” he said, adding that solid auditing procedures should have identified the penetrations much earlier.