CTVNEWS

Lax security efforts led to Winners breach: report

CTV.ca News Staff Published Tuesday, September 25, 2007 10:48PM EDT

Text:

A joint investigation into a major privacy breach has determined that a retail company was collecting too much information and using too few safeguards to protect customers.

Privacy commissioners held a news conference Tuesday to reveal the results of their probe into how intruders breached the computer system at TJX Companies Inc., the U.S.-based owner of Winners and HomeSense stores, earlier this year.

The breach put the personal information of millions of customers, including Canadians who shop at Winners and HomeSense, at risk.

Privacy Commissioner of Canada Jennifer Stoddart and Alberta Information and Privacy Commissioner Frank Work held the news conference in Montreal at the 29th International Conference of Data Protection and Privacy Commissioners.

Work told reporters that TJX collected driver's licence numbers, credit card numbers and transaction records from clients. In some cases, he said, the information was held onto indefinitely, for no apparent reason.

And, he added: "The security measures put in place relied on weak encryption technology. TJX HomeSense/Winners should have moved to a better protocol earlier."

Thieves were able to hack into the company's database and use the information.

"A database of millions of credit card numbers is a potential goldmine for fraudsters and it needs to be protected with solid security measures," Stoddart said.

"The TJX breach is a dramatic example of how keeping large amounts of sensitive information -- particularly information that is not required for business purposes -- for a long time can be a serious liability."

The investigation was launched after TJX announced in January that its computer system had been breached. Customer information was stolen from mid-2005 through Dec. 2006.

The report recommends that TJX continue to collect credit card numbers, but implement a "hashing" system that converts the credit card number to a code for future reference and purges the actual number from the system.

Work said the report focuses on the incident with TJX, but many other companies also collect more information than they need and use inadequate safeguards. The TJX incident illustrates the need for all retailers to tighten up security measures, he said.

"The value of this report lies in informing retailers on how not to get burned," Work said.

It's also a wake-up call for consumers, says a computer science professor caught up in the credit fraud.

"For me it reiterates the fact that you need to trust who it is that you are purchasing from, and it was that trust that was lost with Winners," Dean Jin told CTV News.

Jin got new credit cards. He also signed on to a class action lawsuit against the Winners and HomeSense parent company, TJX.

The lawyer handling the suit says the company has agreed to a proposed settlement, but it sends a message to retailers that they need to plug holes in their security systems.

"The settlement provides that in excess of 200,000 Canadians will qualify for a voucher to be used at Winners and HomeSense and that voucher will be worth $30 and $60," said Evatt Merchant.

Stoddart said: "In a digital wired world our bits and pieces of information are more important than ever," she said at the news conference.

"The message for retailers is think carefully about how you use personal information. ...Think about what information you're collecting, why you have to collect it, how long you should keep it and how safely it is stored."

By example, Stoddart said there is no reason for retailers to collect phone numbers from customers, and shoppers should be wary about providing such information to a retail company. But she added that both consumers and retailers need to take greater responsibility.

"Consumers should worry a lot more than they do," Stoddart said.

"We're all busy, we're all running from one thing to another, but consumers should worry more about what's happening with their personal information."

The report found TJX failed to do the following:

Use adequate protection against intruders;
Act quickly in upgrading their encryption standard;
Monitor its computer systems vigorously;
Adhere to the Payment Card Industry Data Security Standard.

RELATED IMAGES

view larger image

Privacy Commissoner Jennifer Stoddart speaks at a press conference in Montreal on Tuesday, Sept. 25, 2007. (CP / Graham Hughes)
Frank Work, the Information and Privacy Commissioner of Alberta, appears at a press conference in Montreal Tuesday, Sept. 25, 2007. (THE CANADIAN PRESS / Graham Hughes)