Feeds

Canadian privacy commissioner slams TJX data policy

Record-breaking data leak was 'foreseeable'

Next gen security for virtualised datacentres

The leak of 45 million people's credit card information was caused by retailer TJX gathering too much data and not protecting it properly, according to the Canadian privacy commissioner.

The commissioner has published the results of an investigation into the company, which found that the unprecedented leak was foreseeable. It found that the company's processes had failed to protect customers, and how simply keeping so much information is "a serious liability".

"The company collected too much personal information, kept it too long and relied on weak encryption technology to protect it – putting the privacy of millions of its customers at risk," said privacy commissioner Jennifer Stoddart.

"Criminal groups actively target credit card numbers and other personal information. A database of millions of credit card numbers is a potential goldmine for fraudsters and it needs to be protected with solid security measures," she said.

"The TJX breach is a dramatic example of how keeping large amounts of sensitive information – particularly information that is not required for business purposes – for a long time can be a serious liability."

The commissioner's office conducted an investigation but has not taken TJX to the courts, which it has the power to do. It said that it had made recommendations to TJX during the course of the investigation about how it could improve its systems and that TJX had complied with its requests.

"We are of the view that TJX contravened the [law] concerning the collection and retention of personal information held by it," said the commissioner's report. "We are pleased, however, that TJX has agreed to implement our recommendations to the extent that [we] consider the matter to be resolved."

The investigation was carried out by the privacy commissioner and the privacy commissioner of Alberta, a Canadian province with different privacy laws to the national laws. They investigated TJX and its subsidiaries Winners Merchant International and HomeSense, the shops it operates in Canada.

The commissioner found that TJX had failed to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and Alberta's Personal Information Protection Act (PIPA).

The company did not manage the risk of a breach, it failed to encrypt data strongly enough, it did not monitor its systems well enough, it did not act in accordance with payment card industry standards and it collected too much information.

The investigation also found that the company did not even have adequate reason to collect all the information that it did gather.

"The investigation also found the company did not have a reasonable purpose to collect driver's licence and other identification numbers when unreceipted merchandise was returned," said a statement from the commissioner's office.

"TJX stated it asked for this information as part of a fraud prevention process to identify people frequently returning merchandise. It retained the driver’s license numbers – an extremely valuable piece of information for identity thieves – indefinitely," it said.

The office of the commissioner said it would not take action against TJX because the company had already complied with its requests.

The office has told the company to improve its security and privacy practices in specific ways. "[The commissioners] are pleased the company has agreed to follow these recommendations," said the office.

The commissioner is an officer of the Canadian Parliament and has the power to conduct investigations, compel people to give evidence, and take action through the courts based on Canada's privacy laws.

Copyright © 2007, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.