follow-up: TJX's Security System Faulted in Canada Probe

[security curmudgeon <jericho () attrition org>]

---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://online.wsj.com/article/SB119076398490039298.html

By Joseph Pereira
September 26, 2007

TJX Cos., owner of the T.J. Maxx and Marshalls discount chains, failed to 
upgrade its data-encryption system in time to thwart one of the largest 
credit-card data thefts in North America, a Canadian government 
investigation found.

Investigators also found that the Framingham, Mass.-based retailer was 
holding on to its customers' personal information unnecessarily and for 
too long, exposing data on at least 45.7 million credit-card numbers to 
hackers.

As a result of their findings, the privacy commissioners of Canada and the 
province of Alberta -- which jointly conducted the seven-month probe -- 
recommended a number of corrective actions by TJX, including the use of a 
sophisticated coding system to protect driver's-license information and 
the deletion of all credit-card data after 18 months.

"Basically, what we're asking for is standard practice in the industry," 
said Wayne Wood, a spokesman for the Office of the Information and Privacy 
Commissioner of Alberta.

[..]
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml