September 26, 2007 8:53 AM PDT

Privacy experts: T.J. Maxx breach was foreseeable

The breach of sensitive personal information held by TJX, operator of discount chains including T.J. Maxx and Marshalls, earlier this year was foreseeable, but the company failed to put in place adequate security safeguards, according to a report.

"The company collected too much personal information, kept it too long, and relied on weak encryption technology to protect it, putting the privacy of millions of its customers at risk," Jennifer Stoddart, the privacy commissioner of Canada, wrote in the report, which was released Tuesday.

Modern crime made a large-scale breach of this kind inevitable, Stoddart concluded. "Criminal groups actively target credit card numbers and other personal information," she said in the report. "A database of millions of credit card numbers is a potential goldmine for fraudsters, and it needs to be protected with solid security measures."

What made such a breach more likely was that the information had been kept for a long time, she said. "The TJX breach is a dramatic example of how keeping large amounts of sensitive information, particularly information that is not required for business purposes, for a long time can be a serious liability."

Stoddart said the affair was a "wake-up call" for all retailers.

Frank Work, the information and privacy commissioner of Alberta, added: "They must collect only the personal information necessary for a transaction."

TJX disclosed in January that its computer system had been breached, putting millions of credit and debit card numbers as well as other personal information at risk. In May, TJX said it believed the hackers gained access to its information via the Wi-Fi networks.

Details of 45 million customers of TJX were put at risk. The company could offer no comment at the time of writing.

Colin Barker of ZDNet UK reported from London.

See more CNET content tagged:
breach, personal information, privacy, credit card, retailer

1 comment

Join the conversation!
Add your comment
The Maxx For The Minimum
I think the TJ Maxx executives responsible for the security failures should receive the maximum jail time for the minimum culpability. That would be in keeping with their slogan.

Oh, and TJ Maxx's propoposed class action lawsuit settlement for affected customers is a joke. Two $30 vouchers! A 15% discount on merchandise!!! Oh goody. My life has been ruined by your incompetance and you are giving me the opportunity to buy more crap from your store. Where do I sign up!!!

<a class="jive-link-external" href="http://www.tjx.com/class_action.html" target="_newWindow">http://www.tjx.com/class_action.html</a>
Posted by Stating (869 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.