OTTAWA, Sept. 25 /CNW Telbec/ - The risk of a breach of sensitive
personal information held by TJX Companies Inc., the US parent company of
Winners and HomeSense stores in Canada, was foreseeable, but the company
failed to put in place adequate security safeguards, an investigation by the
Privacy Commissioners of Canada and Alberta has found.
"The company collected too much personal information, kept it too long
and relied on weak encryption technology to protect it - putting the privacy
of millions of its customers at risk," says Privacy Commissioner of Canada
"Criminal groups actively target credit card numbers and other personal
information," says Commissioner Stoddart. "A database of millions of credit
card numbers is a potential goldmine for fraudsters and it needs to be
protected with solid security measures.
"The TJX breach is a dramatic example of how keeping large amounts of
sensitive information - particularly information that is not required for
business purposes - for a long time can be a serious liability."
The joint investigation by the two Commissioners was launched after TJX
disclosed in January that its computer system had been breached. This breach
involved millions of credit and debit card numbers as well as other personal
information, such as driver's license numbers collected when customers
returned merchandise without receipts.
"This case is a wake-up call for all retailers. They must collect only
the personal information necessary for a transaction," says Frank Work, the
Information and Privacy Commissioner of Alberta.
"One positive outcome of this extremely unfortunate breach is that TJX
worked cooperatively with us to develop a new process for dealing with
unreceipted returns which strikes an appropriate balance between privacy
rights and a retailer's need to take steps to prevent fraud."
TJX believes the intruder may have initially gained access to customer
information via the wireless local area networks at two of its US stores.
Customer information was stolen from mid-2005 through December 2006, a TJX
investigation found. Some stolen information involved transactions dating back
Stolen information included credit card account data as well as data
collected when customers returned merchandise without a receipt (drivers'
license numbers, names and addresses).
The investigation concluded TJX did not comply with the federal private
sector privacy law, the Personal Information Protection and Electronic
Documents Act (PIPEDA), and Alberta's Personal Information Protection Act
(PIPA). The investigation found:
- TJX did not properly manage the risk of an intrusion against the amount
of customer data that it collected.
- The company failed to act quickly in converting from a weak encryption
standard to a stronger standard. The conversion process took two years
to complete, during which time the breach occurred.
- TJX did not meet its duty to monitor its computer systems vigorously.
An adequate monitoring system should have alerted the company of an
intrusion prior to December 2006.
- The company did not adhere to the requirements of the Payment Card
Industry Data Security Standard, which was developed to address the
growing problem of credit card data theft.
The investigation also found the company did not have a reasonable
purpose to collect driver's license and other identification numbers when
unreceipted merchandise was returned. TJX stated it asked for this
information as part of a fraud prevention process to identify people
frequently returning merchandise. It retained the driver's license numbers -
an extremely valuable piece of information for identity thieves -
In response to these concerns, TJX proposed a new process to address
fraudulent returns. Store staff will continue to ask for identification,
however, information such as a driver's license number will instantly be
converted into a unique identifying number when it is keyed into the
point-of-sale system. This will allow the company to track unreceipted
merchandise returns without keeping original driver's license numbers in its
The Commissioners called on TJX to take a number of steps to improve its
security measures and privacy practices and are pleased the company has agreed
to follow these recommendations.
Commissioner Stoddart says the Winners/HomeSense breach illustrates the
need to get security right in the first place to avoid the potentially huge
costs of mopping up after a security breach.
"Organizations need to ensure they have multiple layers of security and
that they keep up with advances in security technologies. The cost of failing
to do this can be enormous - not only to a company, but to its customers," she
says, adding that a data breach can also have a major impact on credit card
companies, banks, law enforcement agencies and regulatory bodies.
A summary of the findings in the case is available on the Commissioners'
The Privacy Commissioner of Canada is mandated by Parliament to act as an
ombudsman, advocate and guardian of privacy and the protection of personal
information rights of Canadians.
The Information and Privacy Commissioner of Alberta has a mandate to
promote a society where personal privacy is respected and public bodies are
open and accountable.
For further information:
For further information: Colin McKay, Office of the Privacy Commissioner
of Canada, (613) 995-0103, firstname.lastname@example.org; Wayne Wood, Office of the
Information and Privacy Commissioner of Alberta, (780) 644-4015,