Canadian officials fault TJX safeguards

Framingham discounter TJX Cos. failed to keep adequate security safeguards to protect customer information from hackers who stole millions of credit and debit card numbers after intercepting wireless transactions at two Miami area Marshalls stores, Canadian privacy officials said yesterday.

Their eight-month investigation into the TJX breach - the largest loss of personal data ever reported - concluded that the merchant violated federal and local privacy laws in Canada by gathering vast amounts of consumer information and failing to appropriately monitor or protect the data. Thieves stole at least 45.7 million credit and debit card numbers, along with hundreds of thousands of driver's license numbers, dating to Dec. 31, 2002.

"The company collected too much personal information, kept it too long, and relied on weak encryption technology to protect it - putting the privacy of millions of its customers at risk," said Canada's privacy commissioner Jennifer Stoddart, who released the findings yesterday in Montreal on the opening day of the 29th International Conference of Data Protection and Privacy Commissioners.

TJX, which operates 2,500 stores worldwide, including the Winners and HomeSense brands in Canada, said it worked collaboratively with the Office of the Privacy Commissioner of Canada and the Office of the Information and Privacy Commissioner of Alberta that issued the 20-page report. But the retailer, nonetheless, objected to much of their findings.

"While we respectfully disagree with many of the commissioners' factual findings and legal conclusions, we have chosen to implement their recom mendations, having already implemented most of them, with the remainder in process," TJX spokeswoman Sherry Lang said in a statement.

According to Canadian regulators, TJX believes the intruder may have initially gained access to customer information via wireless local area networks at two Marshalls stores in Miami.

These networks use radio waves to collect and transmit data, such as credit card numbers, but the wireless transactions can be intercepted by devices like antennas.

This data is typically encrypted - TJX has said about 75 percent of the stolen cards were expired or had data in the magnetic strip masked - but Canadian regulators said the company's encryption system was outdated and inadequate for safeguarding a network.

In its statement, TJX's Lang contended the company had a wireless encryption tool to protect its in-store wireless networks that complied with industry standards at the time of the breach in July 2005.

TJX also said it had invested millions of dollars on company security before the breach was discovered in December and has taken additional steps since then to strengthen its security systems.

"Business as usual doesn't cut it because the threats have changed. The bad guys have gone pro. They want large amounts of data they can sell," said Ted Julian, vice president of strategy at Application Security Inc. in New York. "There is no perimeter, you need multilayers of defense and to monitor databases directly."

So far, the US Secret Service and other law enforcement agencies have yet to charge anyone with hacking into TJX systems.

This summer, six individuals in Florida pleaded guilty to using phony credit cards with numbers stolen from TJX to buy goods illegally.

Several weeks ago, authorities arrested a Ukrainian man who allegedly sold card numbers through online forums hosted overseas.

The Canadian privacy agencies do not have the power to impose fines, and officials declined to submit the case to prosecutors who have the authority to levy penalties because TJX agreed to follow their recommendations, many of which have already been implemented, including enhanced encryption technology.

TJX ceased collecting driver's license numbers for merchandise returns made without receipts since it disclosed the breach in January.

But according to the report, the retailer will resume the practice with increased security by using a system that immediately converts the identification number into a unique code. The identification codes are needed, the company says, to protect against fraudulent returns.

The TJX breach is facing several other investigations, including one by the US Federal Trade Commission and a multistate probe led by Massachusetts Attorney General Martha Coakley. Officials declined to provide details on these investigations.

The Canadian report comes just days after TJX said it had reached a tentative settlement in a class-action lawsuit with customers who were victims of the security breach. The deal, which still needs court approval, would offer store vouchers to some people whose data were compromised and a three-day sale for all customers.

Allison Bumsted of Milford said she has stopped shopping at TJX since the security breach led Bank of America Corp. to freeze her bank account and cancel her Visa card.

"I'm disappointed that they held onto the information too long. I don't think enough care can be taken when dealing with consumer information," Bumsted said.

"The reality is TJX is trying, but they haven't done it yet. To me, that's the problem. It sounds like security is still an issue they're working on. And I'd rather shop elsewhere."

Jenn Abelson can be reached at abelson@globe.com.