funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Inadequate security safeguards led to TJX breach, Commissioners say

From: <rms () computerbytesman com>
Date: Tue, 25 Sep 2007 11:47:33 -0400
http://www.newswire.ca/en/releases/archive/September2007/25/c4626.html

Inadequate security safeguards led to TJX breach, Commissioners say 

    OTTAWA, Sept. 25 /CNW Telbec/ - The risk of a breach of sensitive

personal information held by TJX Companies Inc., the US parent company of

Winners and HomeSense stores in Canada, was foreseeable, but the company

failed to put in place adequate security safeguards, an investigation by the

Privacy Commissioners of Canada and Alberta has found.

    "The company collected too much personal information, kept it too long

and relied on weak encryption technology to protect it - putting the privacy

of millions of its customers at risk," says Privacy Commissioner of Canada

Jennifer Stoddart.

    "Criminal groups actively target credit card numbers and other personal

information," says Commissioner Stoddart. "A database of millions of credit

card numbers is a potential goldmine for fraudsters and it needs to be

protected with solid security measures.

    "The TJX breach is a dramatic example of how keeping large amounts of

sensitive information - particularly information that is not required for

business purposes - for a long time can be a serious liability."

 

.

 

    <<

    - TJX did not properly manage the risk of an intrusion against the
amount

      of customer data that it collected.

    - The company failed to act quickly in converting from a weak encryption

      standard to a stronger standard.  The conversion process took two
years

      to complete, during which time the breach occurred.

    - TJX did not meet its duty to monitor its computer systems vigorously.

      An adequate monitoring system should have alerted the company of an

      intrusion prior to December 2006.

    - The company did not adhere to the requirements of the Payment Card

      Industry Data Security Standard, which was developed to address the

      growing problem of credit card data theft.

    >>

 

 

 

 


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: