http://online.wsj.com/article/SB119076398490039298.html By Joseph Pereira September 26, 2007 TJX Cos., owner of the T.J. Maxx and Marshalls discount chains, failed to upgrade its data-encryption system in time to thwart one of the largest credit-card data thefts in North America, a Canadian government investigation found. Investigators also found that the Framingham, Mass.-based retailer was holding on to its customers' personal information unnecessarily and for too long, exposing data on at least 45.7 million credit-card numbers to hackers. As a result of their findings, the privacy commissioners of Canada and the province of Alberta -- which jointly conducted the seven-month probe -- recommended a number of corrective actions by TJX, including the use of a sophisticated coding system to protect driver's-license information and the deletion of all credit-card data after 18 months. "Basically, what we're asking for is standard practice in the industry," said Wayne Wood, a spokesman for the Office of the Information and Privacy Commissioner of Alberta. In a statement, TJX spokeswoman Sherry Lang said, "While we respectfully disagree with many of the commissioners' factual findings and legal conclusions, we have chosen to implement their recommendations." Investigators found that TJX was using a weak encryption protocol to protect its consumer data in July 2005, when hackers first broke into its computer system. The protocol, known as Wired Equivalent Privacy, or WEP, isn't recommended by securities experts even for wireless home networks because it is so vulnerable to hackers. TJX decided to upgrade to a more secure Wi-Fi Protected Access encryption protocol at the end of September 2005, Canadian officials said. By then, however, hackers had been able to access the company's internal transaction database. They did so initially from outside two stores in Miami, the probe found. The breach was discovered by TJX this past December and publicly disclosed in January. TJX is now under investigation by the Federal Trade Commission and other U.S. government agencies. Several lawsuits also have been filed by banks for losses as a result of the credit- and debit-card data theft. Last week, the company settled a number of class-action lawsuits filed on behalf of U.S. and Canadian consumers whose names, addresses, driver's-license information and credit-card information were stolen in the computer-system break-in. "The TJX breach is a dramatic example of how keeping large amounts of sensitive information -- particularly information that is not required for business purposes -- for a long time can be a serious liability," Jennifer Stoddart, Canada's privacy commissioner, said in a statement. __________________________________________________________________ CSI 2007 is the only conference that delivers a business-focused overview of enterprise security. It will convene 1,500+ delegates, 80 exhibitors and features 100+ sessions/seminars providing a roadmap for integrating policies and procedures with new tools and techniques. Register now for savings on conference fees and/or free exhibits admission. - www.csiannual.com
This archive was generated by hypermail 2.1.3 : Wed Sep 26 2007 - 23:20:20 PDT