TJX Data Breach Foreseeable

TJX rapped over policies that made its data breach foreseeable in a Canadian report.

You might recall the massive data theft from TJX, the parent company of retailers like TJ Maxx and Marshalls. It was fist revealed in January, and the hackers hadstolen credit and debit card numbers, check, return merchandise transactions, and driver’s license information – all over the period of a year and a half.   A new report into the theftfrom the Office of the Privacy Commissioner in Canada has concluded that TJX not only kept too much information for too long, but also didn’t secure itproperly.   The company has said it believes the data was stolen by thieves using unsecured Wi-Fi networks in two of its American stores, and has recently settled a class action suit brought bycustomers. As part of that, TJX has agreed to provide three years of credit monitoring and two years of identity theft insurance coverage for customers.   This report comes in the wake of thatsettlement, and raps TJX soundly for not complying with Canada’s federal private sector privacy law. According to the report, TJX didn’t properly weight the risks of an attack against theamount of data from customers that it stored, and failed to quickly bring in a strong encryption system. Nor did it  properly monitor its computer systems or stick to the requirements of thePayment Card Industry Data Security Standard (PCI DSS).   The report stated that,   “In our view, the risk of a breach was foreseeable based on the amount of sensitive personalinformation retained and the fact that the organization issuing industry standards had identified the weakness of WEP encryption. Information should have been segregated and the systems bettermonitored.”   TJX has spent over $100 on security improvements.