TJX Asked Too Much, Protected Too Little, Say Canadian Officials

Thieves were able to breach the corporate databases of TJX Companies and steal millions of credit card numbers because the company retained too much information that was not properly secured, according to a report released Tuesday by the Office of the Privacy Commissioner of Canada.

TJX is the parent company of several discount retailers operating in Canada, the U.S. and abroad, including TJ Maxx, TK Maxx, Marshalls and A.J. Wright.

The theft was entirely “foreseeable,” but TJX “failed to put in place adequate security safeguards,” the Privacy Commissioners of Canada and Alberta concluded.

“The company collected too much personal information, kept it too long and relied on weak encryption technology to protect it — putting the privacy of millions of customers at risk,” said Jennifer Stoddar, privacy commissioner of Canada.

The joint investigation’s scathing report comes just days after TJX announced it reached a settlement agreement in the customer class action lawsuit filed as a result of the thefts that included three years of credit monitoring in addition to two years of identity theft insurance coverage.

Too Much Information

The thefts occurred over an 18-month period, during which personal information, including credit and debit card numbers, check, return merchandise transactions, as well as driver’s license information, was stolen, TJX revealed in January.

Some of the purloined data was involved in transactions as far back as 2002.

The retailer told the Commissioner’s office it believes the criminals gained access initially to their database via the wireless local area networks at two of its stores in the U.S.

“Criminal groups actively target credit card numbers and other personal information,” she continued. “A database of millions of credit card numbers is a potential goldmine for fraudsters, and it needs to be protected with solid security measures.”

The report concluded that TJX did not comply with Canada’s federal private sector privacy law. The Commissioner’s report said the company did not correctly manage the risk of an intrusion against the amount of customer data that it collected. It also failed to act quickly in converting from a weak encryption standard to a stronger standard, taking two years to convert their system, during which time the breach occurred. In addition, TJX did not monitor its computer systems vigorously and did not adhere to the requirements of the Payment Card Industry Data Security Standard (PCI DSS), the office concluded.

“The case is a wake-up call for all retailers,” stated Frank Work, Information and Privacy Commissioner of Alberta. “They must collect only the personal information necessary for a transaction.”

Making Lemonade

TJX cooperated with the Commissioner’s investigation and in response to their findings proposed a new process to deal with fraudulent merchandise returns. Store personnel will continue to request identification; however, data such as driver’s license numbers will be converted into a unique identifying number when it is entered into the point-of-sale system. That, the Commissioner noted, will allow the company to track merchandise returns missing a receipt without keeping sensitive data in its system.

In addition, the Commissioner’s office called on TJX to enact a number of changes to improve its security measures and privacy practices and said it is pleased the company has agreed to follow their recommendations. However, the breach points to a need to install the necessary security measures first and thereby avoid the enormous cost of a break-in.

“Organizations need to ensure they have multiple layers of security and that they keep up with advances in security technologies,” Stoddard pointed out. “The cost of failing to do this can be enormous — not only to a company, but to its customers.”

Credit card companies, banks, law enforcement agencies and regulatory bodies are also caught up in the financial fallout, she added.

TJX will have spent an estimated total of US$125 million dollars on security improvements before and after the breach, estimated Avivah Litan, a Gartner analyst, in a published report. In its second quarter earnings report, the company took a $118 million after-tax charge for the quarter to cover current and potential costs arising from the theft and may record an additional $21 million in non-cash charges in the future, she noted.

The cost to banks, Litan wrote, could reach as much as $23.5 million because some 72 percent had to reissue accounts at roughly $20 for each account.

Industry Problem

The Commissioners’ findings were correct, Aaron McPherson, an IDC analyst, told CRM Buyer, in that the company kept an unnecessary amount of personal information for too long.

“But unfortunately, it has been all too common in the U.S.,” he said. “TJX was simply unlucky enough to suffer a major breach. I do think the situation has improved substantially, due in large part to this breach, although there is still a long way to go.”

Statistics released in late July from Visa, McPherson pointed out, confirmed that 96 percent of its Level 1 merchants that process more than 6 million transactions each year — the largest category and one that includes TJX — are no longer storing credit card data. However, they may be storing other information. Only 40 percent of retailers were in full PCI compliance, while 50 percent submitted plans for coming into compliance.

However, “by the end of the week, all [Level 1 retailers] must be in compliance or face fines,” he added.

With Level 2 and Level 3 merchants, compliance percentages are even worse. Those two levels are responsible for 1 million to 6 million transactions and 20,000 to 1 million transactions each year, respectively. Yet only 33 percent of Level 2 merchants were compliant, while 42 percent and the second tier and 22 percent on the third tier said they are working toward compliance.

The Level 3 compliance rate is “pretty good by comparison, perhaps because fraud has been a bigger problem on the Internet or because they have newer systems,” according to McPherson.

Level 4 vendors are at only 19 percent, but only represent 5 percent of total exposed accounts. However, McPherson pointed out, more than 80 percent of identified compromises since 2005 have occurred at these businesses.

“So they are of concern,” he explained. “Visa is going to rely on its member banks and acquirers to work with the small businesses.

“You can see what I mean by ‘long way to go’ when only 40 percent of the TJX-scale merchants are fully compliant. That leaves a lot of potential breaches still out there. Maybe the card data is secure, but as we saw with TJX, there’s a lot more sensitive data that could be seized,” he concluded.

Blame Game

Of the 2.4 percent of consumers whose data was stolen, 72 percent of survey respondents place blame for the breach firmly on the shoulders of the retailer, but only 22 percent said they were less inclined to shop at TJX stores, Gartner’s Litan found. In fact, TJX reported a 7 percent increase in profits for the six months following the theft that ended on July 28.

“One out of five were bothered a lot, [but not enough to stop shopping there] because they know the banks will pay them back,” she told CRM Buyer. “Clearly, discounts are more important than credit card data. Consumers have been really well trained by the credit card and debit card companies and banks that spend millions and millions of dollars a year telling people their money is safe.”

Although Litan acknowledged that TJX bears the brunt of responsibility for the data theft, she also believes that security is problem for the entire payment industry and not just individual retailers.

“There are lots of TJXs out there,” she stated. “In fact, they’re more the norm than the exception. The issue is the banks have rushed to put these payment systems out to generate revenues for themselves because of the fee revenue every time you use your card and interest on your card payments and easy credit.”

Banks, Litan explained, put out the payment systems knowing that they were not that secure on the retailers’ end. The fix, she continued, was to add a significant layer of security to the system is as simple as requiring a personal identification number (PIN) at the point of sale.

“That would eliminate probably 90 percent of the potential fraud,” she said. “It wouldn’t matter if the data was stolen. TJX is really a scapegoat. Sure they had a breach, but of the 6 million retailers out there probably only 300 retailers could not be breached because their security is so tight. The rest of them, they all have holes.

“They just got caught because they are a huge retailer. But the problem is not just theirs; it’s the banking industry’s, and the credit and debit card. In terms of consumers, they are reacting just as they should react.”

Litan recommends that retailers limit the amount of information they collect and do not store unnecessary payment data. Merchants should also segment payment data that they do store so that the work needed to secure their payment systems will be manageable. Lastly, they can use the lessons of the TJX scenario to convince budget decision-makers that the cost of securing data is far lower than the cost of responding to a data breach.

“Retailers should never store the full [magnetic] stripe data,” she advised. “There is data on the stripe they never need. But depending on their refund policy, other data should be archived and moved off the site.”