Wireless Systems Faulted in TJX Theft

Hackers stole millions of credit card numbers from discount retailer TJX Cos. by intercepting wireless transfers of customer information from two Miami-area Marshalls stores, according to an eight-month investigation by the Canadian government.

The investigation led by Canadian Privacy Commissioner Jennifer Stoddart faulted TJX for failing to upgrade its data encryption system, and retaining years-old customer data that should have been quickly purged from TJX's data systems.

Among TJX's stores are Winners and HomeSense stores in Canada.

TJX disclosed the breach in January, but the company and U.S. government investigators have yet to publicly disclose how they believe intruders initially broke into TJX's systems in a theft that exposed at least 45 million credit and debit cards to potential fraud.

"The company collected too much personal information, kept it too long and relied on weak encryption technology to protect it -- putting the privacy of millions of its customers at risk," said Stoddart, who announced the findings at an information security conference in Montreal on Tuesday.

TJX spokeswoman Sherry Lang said her company worked collaboratively with Canadian authorities, and would adopt their recommendations to upgrade its information security.

"While we respectfully disagree with many of the Commissioners' factual findings and legal conclusions, we have chosen to implement their recommendations, having already implemented most of them, with the remainder in process," Lang said.

The recommendations include steps to mask driver's license information collected when customers return merchandise without receipts.

Stoddart, who investigated the breach along with Alberta Information and Privacy Commissioner Frank Work, said her office learned from TJX that the hacker or hackers' entry point was a local area wireless network at two Miami area Marshalls stores.

Such networks collect and transmit data via radio waves about customer purchases, including payment card data, although wireless transmissions can be intercepted by means such as antennas. While such data is typically encrypted, Canadian officials said TJX used an encryption method that was outdated and vulnerable to hackers at the time of the breach.

The investigators found customer information was stolen from mid-2005 through 2006 -- in line with what TJX has previously said -- although some stolen information involved transactions dating as long ago as 2002.

Framingham, Mass.-based TJX is the owner of about 2,500 discount stores including Marshalls and T.J. Maxx.


  • What Money in Excel Means for the Future of Microsoft 365 Apps

    Microsoft's new personal finance tool hints at what's in store for next-generation Office applications, from more third-party integrations to subscription requirements.

  • Microsoft Buys Orions Systems To Enhance Vision AI Capabilities in Dynamics 365

    Microsoft announced on Tuesday that it has acquired Orions Systems with the aim of enhancing Dynamics 365 capabilities, as well as the Microsoft Power Platform.

  • Microsoft Hires Movial To Build Android OS for Microsoft Devices

    Microsoft has hired the Romanian operations of software engineering and design services company Movial to develop an Android-based operating system solution for the Microsoft Devices business segment.

  • Microsoft Ending Workflows for SharePoint 2010 Online Next Month

    Microsoft on Monday gave notice that it will be ending support this year for the "workflows" component of SharePoint 2010 Online, as well as deprecating that component for SharePoint 2013 Online.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.