After months of speculation about how exactly the intrusion at TJX Companies happened, officials now know.
The intruders who broke into TJX's networks and stole data involving more than 45 million credit card and debit card numbers first gained access to the company's systems via poorly protected wireless local-area networks -- as some have previously theorized. The break-ins happened at two Marshalls stores in Miami.
The stolen information was accessed from the Retail Transaction Switch (RTS) servers that were responsible for processing and storing information related to customer transactions at TJX stores. The data compromised by the breach included driver's license numbers and other personally identifiable information related to payment-card and merchandise return transactions for which a receipt was not present.
However, deletion technology used by the intruders has so far made it impossible for TJX to determine exactly the contents of most of the files created and downloaded by the intruders.
These and other details were released today following a joint investigation into the TJX data breach conducted by Canada's national privacy commissioner and the privacy commissioner of Alberta.
In a 20-page report, the commissioners lay the blame squarely on TJX for not only collecting more customer information than was needed for completing a transaction, but also for failing to take adequate measures to protect the collected data. The commissioners also faulted TJX for not having a monitoring system in place that could detect the breach earlier and for failing to implement the Payment Card Industry data security standards mandated by major credit card companies.
"The finding was that there was too much information collected by the retailer" -- in particular, driver's license information, Frank Work, the information and privacy commissioner of Alberta, said at a news conference announcing the findings this morning. Customer data was also kept too long -- in some cases indefinitely, Work said.
In addition, "the final finding was that the security measures put in place relied on weak encryption technology, in particular WEP [Wired Equivalent Privacy]," said Canada's privacy commissioner, Jennifer Stoddart. "The finding was that TJX should have moved to WPA [Wi-fi Protected Access] earlier."
Work noted that TJX disagreed with the commissioner's findings that it should have moved to WPA earlier. "But as the regulators, we are entitled to make that finding, and that's the finding we made. We are not interested in beating up on TJX. They got burned. But so did a lot of other institutions and so did a lot of customers. The value of this report lies in informing industry how not to get burned."
The Canadian report comes about eight months after TJX disclosed that unknown intruders had gained access to its payment systems and compromised data belonging to millions of customers in several countries, including Canada. Since then, there has been speculation that the breach was the result of a wireless hack into one of the company's U.S.-based stores. A story earlier this year by The Wall Street Journal quoted investigators as saying the TJX intruders had gained access via a wireless LAN break-in at a Marshalls in Minnesota. The report released today in Canada is the first to officially spell out how the breach occurred, and where.
The Canadian privacy commissioners said they have asked TJX to stop collecting driver's license information and other forms of identifying data during merchandise returns and to purge such information from its databases. They also instructed TJX to notify customers about the purpose for -- and potential disclosure of -- all personal information collected once it implements a new return policy.
In response, TJX said it needs the driver's license data as part of a fraud prevention process to identify people who frequently return merchandise. Going forward, the company will continue to ask for identification, but in Canada it has agreed to implement a process under which driver's license numbers will be automatically hashed into a unique identifying number when keyed into a point-of-sale system.
The TJX data breach is the largest ever disclosed. It has already cost the company over $150 million. Yesterday, the company announced a proposed settlement of consumer class action lawsuits that have been initiated against it. The proposed settlement includes credit and ID theft monitoring services for up to three years for individuals whose driver's license numbers were compromised, shopping vouchers for those whose card information might have been stolen, and a one-time three-day event in 2008 during which the company will sell items at a 15 percent discount in all of its stores.
The Canadian investigation shows that the TJX breach has moved to a new level, said Deepak Taneja, CEO of Aveska, a provider of access control technologies. "It has now become an international incident," with Canada's privacy commissioners saying that the company failed to follow that country's data protection laws. "I wouldn't be surprised if someone in Europe came and said they failed to comply with European compliance requirements."
Regardless of how the intruders accessed the TJX network, what is more important is the fact that they remained undetected for two years, Taneja added. "To me the largest issue is security governance. This was just poor security governance" on TJX's part.
Despite the negative publicity generated by the breach, TJX so far has escaped relatively unscathed in terms of customer confidence. Just 22 percent of TJX customers in an August 2007 survey by analyst firm Gartner said they're much less inclined to shop at TJX stores. "We believe many of them will likely change their minds as soon as they see an attractive TJX sale," Gartner analyst Avivah Litan said. "Most TJX customers clearly care more about discounts than about card security, because they know banks will usually cover potential losses if a card is stolen and used."