After months of speculation about how exactly the intrusion at TJX Companies. happened, officials now know how the theft was committed.
The intruders who broke into TJX's networks and stole data involving more than 45 million credit card and debit card numbers first gained access to the company's systems via poorly protected wireless local-area networks -- as some have previously theorised. The break-ins happened at two Marshalls stores in Miami.
The stolen information was accessed from the Retail Transaction Switch (RTS) servers that were responsible for processing and storing information related to customer transactions at TJX stores. The data compromised by the breach included driver's license numbers and other personally identifiable information related to payment-card and merchandise return transactions for which a receipt was not present.
However, deletion technology used by the intruders has so far made it impossible for TJX to determine exactly the contents of most of the files created and downloaded by the intruders.
These and other details were released today following a joint investigation into the TJX data breach conducted by Canada's national privacy commissioner and the privacy commissioner of Alberta.
In a 20-page report, the commissioners lay the blame squarely on TJX for not only collecting more customer information than was needed for completing a transaction, but also for failing to take adequate measures to protect the collected data. The commissioners also faulted TJX for not having a monitoring system in place that could detect the breach earlier and for failing to implement the Payment Card Industry data security standards mandated by major credit card companies.
"The finding was that there was too much information collected by the retailer" -- in particular, driver's license information, Frank Work, the information and privacy commissioner of Alberta, said at a news conference announcing the findings this morning. Customer data was also kept too long -- in some cases indefinitely, Work said.
In addition, "the final finding was that the security measures put in place relied on weak encryption technology, in particular WEP [Wired Equivalent Privacy]," said Canada's privacy commissioner, Jennifer Stoddart. "The finding was that TJX should have moved to WPA [Wi-fi Protected Access] earlier."
Work noted that TJX disagreed with the commissioner's findings that it should have moved to WPA earlier. "But as the regulators, we are entitled to make that finding, and that's the finding we made. We are not interested in beating up on TJX. They got burned. But so did a lot of other institutions and so did a lot of customers. The value of this report lies in informing industry how not to get burned."
The Canadian report comes about eight months after TJX disclosed that unknown intruders had gained access to its payment systems and compromised data belonging to millions of customers in several countries, including Canada. Since then, there has been speculation that the breach was the result of a wireless hack into one of the company's U.S.-based stores. A story earlier this year by The Wall Street Journal quoted investigators as saying the TJX intruders had gained access via a wireless LAN break-in at a Marshalls in Minnesota. The report released today in Canada is the first to officially spell out how the breach occurred, and where.
The Canadian privacy commissioners said they have asked TJX to stop collecting driver's licence information and other forms of identifying data during merchandise returns and to purge such information from its databases. They also instructed TJX to notify customers about the purpose for -- and potential disclosure of -- all personal information collected once it implements a new return policy.
In response, TJX said it needs the driver's licence data as part of a fraud prevention process to identify people who frequently return merchandise. Going forward, the company will continue to ask for identification, but in Canada it has agreed to implement a process under which driver's licence numbers will be automatically hashed into a unique identifying number when keyed into a point-of-sale system.
The TJX data breach is the largest ever disclosed. It has already cost the company over US$150 million.