Wireless Systems Faulted in TJX Theft
millions of credit card numbers
from discount retailer TJX Cos. by intercepting
wireless transfers of customer information from two Miami-area Marshalls stores,
according to an eight-month investigation by the Canadian government.
The investigation led by Canadian Privacy Commissioner Jennifer Stoddart faulted
TJX for failing to upgrade its data encryption system, and retaining years-old
customer data that should have been quickly purged from TJX's data systems.
Among TJX's stores are Winners and HomeSense stores in Canada.
the breach in January, but the company and U.S. government investigators
have yet to publicly disclose how they believe intruders initially broke into
TJX's systems in a theft that exposed at least 45 million credit and debit cards
to potential fraud.
"The company collected too much personal information, kept it too long
and relied on weak encryption technology to protect it -- putting the privacy
of millions of its customers at risk," said Stoddart, who announced the
findings at an information security conference in Montreal on Tuesday.
TJX spokeswoman Sherry Lang said her company worked collaboratively with Canadian
authorities, and would adopt their recommendations to upgrade its information
"While we respectfully disagree with many of the Commissioners' factual
findings and legal conclusions, we have chosen to implement their recommendations,
having already implemented most of them, with the remainder in process,"
The recommendations include steps to mask driver's license information collected
when customers return merchandise without receipts.
Stoddart, who investigated the breach along with Alberta Information and Privacy
Commissioner Frank Work, said her office learned from TJX that the hacker or
hackers' entry point was a local area wireless network at two Miami area Marshalls
Such networks collect and transmit data via radio waves about customer purchases,
including payment card data, although wireless transmissions can be intercepted
by means such as antennas. While such data is typically encrypted, Canadian
officials said TJX used an encryption method that was outdated and vulnerable
to hackers at the time of the breach.
The investigators found customer information was stolen from mid-2005 through
2006 -- in line with what TJX has previously said -- although some stolen information
involved transactions dating as long ago as 2002.
Framingham, Mass.-based TJX is the owner of about 2,500 discount stores including
Marshalls and T.J. Maxx.