TJX and its retail companies collected too much information, held it too long and used inadequate encryption technology to protect it, the Privacy Commissioner of Canada said in a report published Tuesday.
Released in conjunction with the 29th International Conference of Data Protection and Privacy Commissioners taking place in Montreal this week, the report highlights how intruders breached the computer system at TJX Companies Inc., the U.S.-based owner of Winners and HomeSense stores, accessing personal information of approximately more than 45 million individuals. Privacy Commissioner of Canada Jennifer Stoddart worked with Frank Work, Information and Privacy Commissioner of Alberta, on the report.
“We’re not interested in beating up on TJX – they got burned, but so did a lot of other institutions and customers,” said Work, who added that the value of the report lies in informing industries. “The criminals are good, and we just have to be better.”
Although TJX and its companies had some security technology in place, Work noted that it was based on security measures put in place relied on weak encryption technology, in particular wireless equivalent privacy, or WEP. The commissioners said the company was too slow to migrate to Wi-Fi protected access (WPA), which might have prevented hackers from getting the data through its wireless network. Stoddart, however, suggested that better encryption was not necessarily the answer.
“In my mind, there will never be a complete technological answer to this,” she said. “I think it’s up to us as citizens and consumers to take responsibility.”
The report finds particular fault with TJX companies’ practice of recording drivers’ licence numbers as a way of preventing fraudulent returns of products without a receipt. In some cases this information was kept indefinitely, as were customer’s phone numbers, which were sometimes used for marketing purposes.
“You don’t need a telephone number to conclude a retail sale,” Stoddart said. “There’s nothing that states they have to or indeed that they are authorised to.”
Work said the commissioners recognize the issue of fraudulent returns and suggested that retailers adopt a “hash” system, where drivers licence numbers would be scrambled into a number that could be recognized by an algorithm. That way the driver’s licence number could be disposed of more quickly, he said.
Other retailers are dealing with fraudulent returns by creating what are called returns control systems that tie into their data warehouse and link to point of sale systems. Hudson’s Bay Co, which has set up such a system, says it has been saving about $2 million a year since going live two years ago.
The message for retailers is think carefully about how they use personal information figures in their marketing and administrative operations, Stoddart said, noting that the TJX incident had ramifications far beyond North America.
“Consumers should worry a lot more than they do,” she said. “Many of the stores we deal with now as Canadians in any of our provinces are attached to a global network.”
On Friday TJX said it will offer three years of credit-monitoring services along with identity theft insurance coverage to all consumers whose driver’s license or other personal data may have been compromised by the massive data breach disclosed earlier this year by the retail company. The company was facing a massive class action lawsuit.
The US Federal Trade Commission, a group of U.S. Attorneys General, the U.K. Information Commissioner and the Irish Data Protection Commissioner are all conducting their own investigations into the TJX breach, the report noted.