TJX mishandled private data, privacy commissioner says

Published: September 26th, 2007

TJX and its retail companies collected too much information, held it too long and used inadequate encryption technology to protect it, the Privacy Commissioner of Canada said in a report published Tuesday.

The report highlights how intruders breached the computer system at TJX Companies Inc., the U.S.-based owner of Winners and HomeSense stores, accessing personal information of approximately more than 45 million individuals. Privacy Commissioner of Canada Jennifer Stoddart worked with Frank Work, Information and Privacy Commissioner of Alberta, on the report.

Although TJX and its companies had some security technology in place, Work noted that it was based on security measures put in place relied on weak encryption technology, in particular wireless equivalent privacy, or WEP. The commissioners said the company was too slow to migrate to Wi-Fi protected access (WPA), which might have prevented hackers from getting the data through its wireless network. Stoddart, however, suggested that better encryption was not necessarily the answer.

“In my mind, there will never be a complete technological answer to this,” she said. “I think it’s up to us as citizens and consumers to take responsibility.”

The report finds particular fault with TJX companies’ practice of recording drivers’ license numbers as a way of preventing fraudulent returns of products without a receipt. In some cases this information was kept indefinitely, as were customer’s phone numbers, which were sometimes used for marketing purposes.