The Commissioner has published the results of an investigation
into the company which found that the unprecedented leak was
foreseeable. It found that the company's processes had failed to
protect customers, and how simply keeping so much information is "a
serious liability".
"The company collected too much personal information, kept it
too long and relied on weak encryption technology to protect it –
putting the privacy of millions of its customers at risk,” said
Privacy Commissioner Jennifer Stoddart.
"Criminal groups actively target credit card numbers and other
personal information. A database of millions of credit card numbers
is a potential goldmine for fraudsters and it needs to be protected
with solid security measures," she said.
“The TJX breach is a dramatic example of how keeping large
amounts of sensitive information – particularly information that is
not required for business purposes – for a long time can be a
serious liability.”
The Commissioner's office conducted an investigation but has not
taken TJX to the courts, which it has the power to do. It said that
it had made recommendations to TJX during the course of the
investigation about how it could improve its systems and that TJX
had complied with its requests.
"We are of the view that TJX contravened the [law] concerning
the collection and retention of personal information held by it,"
said the Commissioner's report. "We are pleased, however, that TJX
has agreed to implement our recommendations to the extent that [we]
consider the matter to be resolved."
The investigation was carried out by the Privacy Commissioner
and the Privacy Commissioner of Alberta, a Canadian province with
different privacy laws to the national laws. They investigated TJX
and its subsidiaries Winners Merchant International and HomeSense,
the shops it operates in Canada.
The Commissioner found that TJX had failed to comply with the
Personal Information Protection and Electronic Documents Act
(PIPEDA) and Alberta’s Personal Information Protection Act
(PIPA).
The company did not manage the risk of a breach; it failed to
encrypt data strongly enough, it did not monitor its systems well
enough; it did not act in accordance with payment card industry
standards; and it collected too much information.
The investigation also found that the company did not even have
adequate reason to collect all the information that it did
gather.
"The investigation also found the company did not have a
reasonable purpose to collect driver’s license and other
identification numbers when unreceipted merchandise was returned,"
said a statement from the Commissioner's office.
"TJX stated it asked for this information as part of a fraud
prevention process to identify people frequently returning
merchandise. It retained the driver’s license numbers – an
extremely valuable piece of information for identity thieves –
indefinitely," it said.
The office of the Commissioner said that it would not take
action against TJX because the company had already complied with
its requests
The Office has told the company to improve its security and
privacy practices in specific ways. "[The Commissioners] are
pleased the company has agreed to follow these recommendations,"
said the Office.
The Commissioner is an officer of the Canadian Parliament and
has the power to conduct investigations, compel people to give
evidence and take action through the courts based on Canada's
privacy laws.
