Feeds

Canadian privacy commissioner slams TJX data policy

Record-breaking data leak was 'foreseeable'

Using blade systems to cut costs and sharpen efficiencies

The leak of 45 million people's credit card information was caused by retailer TJX gathering too much data and not protecting it properly, according to the Canadian privacy commissioner.

The commissioner has published the results of an investigation into the company, which found that the unprecedented leak was foreseeable. It found that the company's processes had failed to protect customers, and how simply keeping so much information is "a serious liability".

"The company collected too much personal information, kept it too long and relied on weak encryption technology to protect it – putting the privacy of millions of its customers at risk," said privacy commissioner Jennifer Stoddart.

"Criminal groups actively target credit card numbers and other personal information. A database of millions of credit card numbers is a potential goldmine for fraudsters and it needs to be protected with solid security measures," she said.

"The TJX breach is a dramatic example of how keeping large amounts of sensitive information – particularly information that is not required for business purposes – for a long time can be a serious liability."

The commissioner's office conducted an investigation but has not taken TJX to the courts, which it has the power to do. It said that it had made recommendations to TJX during the course of the investigation about how it could improve its systems and that TJX had complied with its requests.

"We are of the view that TJX contravened the [law] concerning the collection and retention of personal information held by it," said the commissioner's report. "We are pleased, however, that TJX has agreed to implement our recommendations to the extent that [we] consider the matter to be resolved."

The investigation was carried out by the privacy commissioner and the privacy commissioner of Alberta, a Canadian province with different privacy laws to the national laws. They investigated TJX and its subsidiaries Winners Merchant International and HomeSense, the shops it operates in Canada.

The commissioner found that TJX had failed to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and Alberta's Personal Information Protection Act (PIPA).

The company did not manage the risk of a breach, it failed to encrypt data strongly enough, it did not monitor its systems well enough, it did not act in accordance with payment card industry standards and it collected too much information.

The investigation also found that the company did not even have adequate reason to collect all the information that it did gather.

"The investigation also found the company did not have a reasonable purpose to collect driver's licence and other identification numbers when unreceipted merchandise was returned," said a statement from the commissioner's office.

"TJX stated it asked for this information as part of a fraud prevention process to identify people frequently returning merchandise. It retained the driver’s license numbers – an extremely valuable piece of information for identity thieves – indefinitely," it said.

The office of the commissioner said it would not take action against TJX because the company had already complied with its requests.

The office has told the company to improve its security and privacy practices in specific ways. "[The commissioners] are pleased the company has agreed to follow these recommendations," said the office.

The commissioner is an officer of the Canadian Parliament and has the power to conduct investigations, compel people to give evidence, and take action through the courts based on Canada's privacy laws.

Copyright © 2007, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.