Canadian officials criticize TJX
Retailer TJX Cos. failed to put in place adequate security safeguards to protect customer information, the privacy commissioner of Canada said today.
TJX responded by saying that while "we respectfully disagree with many of the commissioners' factural findings and legal conclusions," the company has chosen to implement the commissioners' recommendations, with most of them already in place.
A joint investigation by Canada's commissioner of privacy and Alberta's privacy commissioner was launched after TJX, the Framingham-based operator of such chains as T.J. Maxx and Marshalls, disclosed in January that its computer system had been breached, resulting in the theft of millions of credit card and debit card numbers, Canadian regulators said.
"The company collected too much personal information, kept it too long, and relied on a weak encryption technology to protect it - putting the privacy of millions of customers at risk," Jennifer Stoddart, privacy commissioner of Canada, said in a statement.
Stoddart added, "A database of millions of credit card numbers is a potential gold mine for fraudsters, and it needs to be protected with solid security measures."
According to Canadian regulators, TJX believes the intruder may have initially gained access to customer information via the wireless local area networks at two of its US stores.
TJX noted in a statement: "TJX agrees with the commissioners' report that storage of consumer data should occur only when there is a legitimate business need for doing so. A key component of our customer service is a no-hassle merchandise return policy, and collecting and storing drivers license numbers from customers returning merchandise without a receipt was pivotal to launch prevention relating to this policy."
TJX also said that it had invested millions of dollars on company security before the breach, and following the breach, it took additional steps to strengthen its security systems.
(By Chris Reidy, Globe staff)
