Menu
Canadian probe reveals how TJX breach happened

Canadian probe reveals how TJX breach happened

After months of speculation about how exactly the intrusion at TJX Companies. happened, officials now know how the theft was committed.

The intruders who broke into TJX's networks and stole data involving more than 45 million credit card and debit card numbers first gained access to the company's systems via poorly protected wireless local-area networks -- as some have previously theorised. The break-ins happened at two Marshalls stores in Miami.

The stolen information was accessed from the Retail Transaction Switch (RTS) servers that were responsible for processing and storing information related to customer transactions at TJX stores. The data compromised by the breach included driver's license numbers and other personally identifiable information related to payment-card and merchandise return transactions for which a receipt was not present.

However, deletion technology used by the intruders has so far made it impossible for TJX to determine exactly the contents of most of the files created and downloaded by the intruders.

These and other details were released today following a joint investigation into the TJX data breach conducted by Canada's national privacy commissioner and the privacy commissioner of Alberta.

In a 20-page report, the commissioners lay the blame squarely on TJX for not only collecting more customer information than was needed for completing a transaction, but also for failing to take adequate measures to protect the collected data. The commissioners also faulted TJX for not having a monitoring system in place that could detect the breach earlier and for failing to implement the Payment Card Industry data security standards mandated by major credit card companies.

"The finding was that there was too much information collected by the retailer" -- in particular, driver's license information, Frank Work, the information and privacy commissioner of Alberta, said at a news conference announcing the findings this morning. Customer data was also kept too long -- in some cases indefinitely, Work said.

In addition, "the final finding was that the security measures put in place relied on weak encryption technology, in particular WEP [Wired Equivalent Privacy]," said Canada's privacy commissioner, Jennifer Stoddart. "The finding was that TJX should have moved to WPA [Wi-fi Protected Access] earlier."

Work noted that TJX disagreed with the commissioner's findings that it should have moved to WPA earlier. "But as the regulators, we are entitled to make that finding, and that's the finding we made. We are not interested in beating up on TJX. They got burned. But so did a lot of other institutions and so did a lot of customers. The value of this report lies in informing industry how not to get burned."

The Canadian report comes about eight months after TJX disclosed that unknown intruders had gained access to its payment systems and compromised data belonging to millions of customers in several countries, including Canada. Since then, there has been speculation that the breach was the result of a wireless hack into one of the company's U.S.-based stores. A story earlier this year by The Wall Street Journal quoted investigators as saying the TJX intruders had gained access via a wireless LAN break-in at a Marshalls in Minnesota. The report released today in Canada is the first to officially spell out how the breach occurred, and where.

The Canadian privacy commissioners said they have asked TJX to stop collecting driver's licence information and other forms of identifying data during merchandise returns and to purge such information from its databases. They also instructed TJX to notify customers about the purpose for -- and potential disclosure of -- all personal information collected once it implements a new return policy.

In response, TJX said it needs the driver's licence data as part of a fraud prevention process to identify people who frequently return merchandise. Going forward, the company will continue to ask for identification, but in Canada it has agreed to implement a process under which driver's licence numbers will be automatically hashed into a unique identifying number when keyed into a point-of-sale system.

The TJX data breach is the largest ever disclosed. It has already cost the company over US$150 million.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags tjxcanadacanadian report

Featured

Slideshows

The making of an MSSP: a blueprint for growth in NZ

The making of an MSSP: a blueprint for growth in NZ

Partners are actively building out security practices and services to match, yet remain challenged by a lack of guidance in the market. This exclusive Reseller News Roundtable - in association with Sophos - assessed the making of an MSSP, outlining the blueprint for growth and how partners can differentiate in New Zealand.

The making of an MSSP: a blueprint for growth in NZ
Reseller News Platinum Club celebrates leading partners in 2018

Reseller News Platinum Club celebrates leading partners in 2018

The leading players of the New Zealand channel came together to celebrate a year of achievement at the inaugural Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months, with more than ​​50 organisations in the spotlight.​​​

Reseller News Platinum Club celebrates leading partners in 2018
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP has honoured its leading partners in New Zealand during 2018, following 12 months of growth through the local channel. Unveiled during the fourth running of the ceremony in Auckland, the awards recognise and celebrate excellence, growth, consistency and engagement of standout Kiwi partners.

Meet the top performing HP partners in NZ
Show Comments