Lax security efforts led to Winners breach: report

A joint investigation into a major privacy breach has determined that a retail company was collecting too much information and using too few safeguards to protect customers.

Privacy commissioners held a news conference Tuesday to reveal the results of their probe into how intruders breached the computer system at TJX Companies Inc., the U.S.-based owner of Winners and HomeSense stores, earlier this year.

The breach put the personal information of millions of customers, including Canadians who shop at Winners and HomeSense, at risk.

Privacy Commissioner of Canada Jennifer Stoddart and Alberta Information and Privacy Commissioner Frank Work held the news conference in Montreal at the 29th International Conference of Data Protection and Privacy Commissioners.

Work told reporters that TJX collected driver's licence numbers, credit card numbers and transaction records from clients. In some cases, he said, the information was held onto indefinitely, for no apparent reason.

And, he added: "The security measures put in place relied on weak encryption technology. TJX HomeSense/Winners should have moved to a better protocol earlier."

Thieves were able to hack into the company's database and use the information.

"A database of millions of credit card numbers is a potential goldmine for fraudsters and it needs to be protected with solid security measures," Stoddart said.

"The TJX breach is a dramatic example of how keeping large amounts of sensitive information -- particularly information that is not required for business purposes -- for a long time can be a serious liability."

The investigation was launched after TJX announced in January that its computer system had been breached. Customer information was stolen from mid-2005 through Dec. 2006.

The report recommends that TJX continue to collect credit card numbers, but implement a "hashing" system that converts the credit card number to a code for future reference and purges the actual number from the system.

Work said the report focuses on the incident with TJX, but many other companies also collect more information than they need and use inadequate safeguards. The TJX incident illustrates the need for all retailers to tighten up security measures, he said.

"The value of this report lies in informing retailers on how not to get burned," Work said.

It's also a wake-up call for consumers, says a computer science professor caught up in the credit fraud.

"For me it reiterates the fact that you need to trust who it is that you are purchasing from, and it was that trust that was lost with Winners," Dean Jin told CTV News.

Jin got new credit cards. He also signed on to a class action lawsuit against the Winners and HomeSense parent company, TJX.

The lawyer handling the suit says the company has agreed to a proposed settlement, but it sends a message to retailers that they need to plug holes in their security systems.

"The settlement provides that in excess of 200,000 Canadians will qualify for a voucher to be used at Winners and HomeSense and that voucher will be worth $30 and $60," said Evatt Merchant.

Stoddart said: "In a digital wired world our bits and pieces of information are more important than ever," she said at the news conference.

"The message for retailers is think carefully about how you use personal information. ...Think about what information you're collecting, why you have to collect it, how long you should keep it and how safely it is stored."

By example, Stoddart said there is no reason for retailers to collect phone numbers from customers, and shoppers should be wary about providing such information to a retail company. But she added that both consumers and retailers need to take greater responsibility.

"Consumers should worry a lot more than they do," Stoddart said.

"We're all busy, we're all running from one thing to another, but consumers should worry more about what's happening with their personal information."

The report found TJX failed to do the following:

Use adequate protection against intruders;
Act quickly in upgrading their encryption standard;
Monitor its computer systems vigorously;
Adhere to the Payment Card Industry Data Security Standard.

Add New Comment ( )

DM
said
0 0

Many companies assign a dollar value for your personal information - it's between 0.005 and 0.02 cents per dollar.

When you purchase a service or product, you are purchasing it with a combination of fiat currency and personal information. It would also be wise for each consumer to place a value their own personal info. (I tend to agree with the value of 0.02/$1.)

For example: on a $20 purchase a retailer that has assigned a value of $0.02/$1 will discount at an average of $0.40 if you provide the loyalty card.

You can only comparison shop once you assigned your value of your own personal info.

Someone once told me that she would never give out her phone number to a retailer even for a $million... I'll take the money, thank you.

Russell Johnston
said
0 0

I find it infuriating that I keep having to mail in product registrations rather than register for warranties online; because the required information to demanded in order to register online always far exceeds what is either necessary or safe to disclose. Info-greed is rampant amongst companies, despite the risks.

Security_Nightmares_Ahead
said
0 0

Even after doing everything possible to secure my PHP/MySQL programmed Web Site it is still not completely secure. That is why I will not take sensitive information from subscribers. Shared Web hosted Sites are particularly vulnerable. Buyers using credit cards should shop from Sites situated on dedicated servers. Canadians may want to try to come up with a national solution for this dilemma. Paypal is good but has its problems.

hassan
said
0 0

As a former bank worker and collection agent, even though the bank or other institutions say they will not pass on info to your face, Read the small print people, it states in case of default we are permitted to submit any info necessary to obtain our finances. This is not a shock to me whatsoever. Just some fyi if you read the consumer protection act, you do not by law have to even give a social insurance number to bank for a loan if you wish not too.

island girl
said
0 0

I refuse to get those 'membership cards' for points or to get merchandise at lower prices. They get all kinds of info on you when you apply for those point cards, then every time they scan your card they're gathering more info on you re. buying habits, etc.I consider this a huge invasion of privacy and a few 'points' are not going to convince me to let a store gather info about me.

Michelle
said
0 0

The information retailers are collecting is not necessary for returning a product, so it shouldn't be asked for in the first place. Consumers should not have to just "fake it". And if it is for quality control, that is not told to the consumer. And frankly, if you want quality control, hand out an annonymous survey every time a customer returns something. They don't need to put their information on, just how did they find the service. I have also worked front line retail and when I asked my supervisor what I should tell people when asked why we are asking for this information, she told me that we give them ours don't we? We were told that we need it to return the product. We weren't trained in the legislation protecting their information, and we really couldn't tell them who had access to it and if it was safe. We should educate ourselves to know what our rights are as a consumer when it comes to giving our information. I admit I fake giving my information because it is more of a hassle not to give it.

Angela, Calgary
said
0 0

I've worked in front line retail for over 8 years and for this article to be saying that consumers need to be more wary is very upsetting. I have had my head ripped off more than enough times by consumers adamantly arguing over why they should give up their personal information for returns. The thing is, is that if you have such a problem with it, FAKE IT. Give a obvious or not obvious fake name, and so on I.E.: 555-555-5555 is your phone number! The reason the companies I worked for needed the information was for quality controls. The information is gathered from RETURNS ONLY and the quality control department would call and ask one out of every 100 customers whether they were treated courteously and whether they would shop with our company again. Have a SPAM ONLY email address : Create one that is just for mailing lists and the sorts so that if the email collection is legitimate, you have a means to collect the information you need, without filling your real mailbox with SPAM. Customers are wary, they just don't need to take it out on the hapless sales associates that are JUST DOING THEIR JOBS! AND they just need to be made aware of the options they have.

Lex
said
0 0

According to the freedom of information act we don't have to give them anything and they just have to deal with it. (I worked in retail for many years, after the act was updated, our company came up with a customer profile to use if people refused to give us their info.) Telling us that they are 'unable' to proceed with the returns or anything else is blackmailing us to give them our information. And then this happens and we find out that they are using weak security measures?? They are lucky no one has sued them yet!

DW
said
0 0

I think due to the companies lack of foresight and security they should be held accountable to the many people that lost money.

k
said
0 0

You say company's do not need your phone # or other sensitive info but most ask for it especially if you are returning a product otherwise they will not accept it back. So to say we should not give as much information out as we should is not negotiable so I think the retailers should be held more accountable then they are now. I think they should have to tell the public the day they are hacked so people can put their own safety nets together. I think retailers have way too much power over consumers and that should stop. We the consumers should have this power it is us who buy their products.

Jan
said
0 0

Similar to Cathy's response, I attempted to return merchandise to (a store) in April 2005, with receipt, and was told that they needed my driver's licence. When I refused, I was advised that they wouldn't be able to process the return. I told the clerk that perhaps I didn't drive, and therefore didn't have one, to which she replied that they then needed my passport or health card. When I asked what they did with the information, she said that she entered it into her computer, but couldn't advise who would else had access to it. When I advised her that this practice was contrary to PIPEDA, she gave me a 1-800 customer service number to call. Foolishly, I then provided my D/L to proceed with the return. I wrote letters to OHIP, Passport Canada, the Ministry of Transportation and HomeSense/Winners at the time (before this big scandal unfolded), and received not a single reply.

Cathy
said
0 0

I find the report very enlightening as a consumer. On a few occassions I have had to return producst purchased ... They insist on name, phone#,address etc., and drivers license. I was told that unless I gave that information I would not be able to return the product. I was also told it makes it less likely for someone else to come in and return a product under my name. The customer service clerk became quite upset when I refused to give her my drivers license information. Needless to say I no longer do much shopping (there) as I feel that information is private and not for saving in their databases.

Cathy
said
0 0

I find the report very enlightening as a consumer. On a few occasions I have had to return product purchased from Canadian tire. They insist on name,phone#,address etc., and drivers license. I was told that unless I gave that information I would not be able to return the product. I was also told it makes it less likely for someone else to come in and return a product under my name. The customer service clerk became quite upset when I refused to give her my drivers licence information. Needless to say I no longer do much shopping at Canadian Tire as I feel that information is private and not for saving in their databases.

Davey Legasse
said
0 0

I absolutely refuse to give information to stores. If I'm asked for address or other information I won't give it up. If the clerk insists, I make it up and I tell them that I'm making it up. The usual response is "thats okay, I have to put something in here, anything will do."

That guy whose address I'm giving up must be getting a lot of marketing information. hehehe

Randy
said
0 0

From reading the story it appears that the company could have better protected the information if they put more of an effort into it. They didn't and now consumers shouldn't put an effort in to shopping at their stores.

Related Websites

Report from the Privacy Commissioner of Canada

Today's Sci-Tech Stories

Models display a Samsung Galaxy S III, the latest smartphone in the company's Galaxy lineups, during its launching for media in Jakarta, Indonesia, Tuesday, May 22, 2012. Samsung said the phone, that has emerged as the biggest competitor to the iPhone, will go on sale in 145 countries with 296 phone companies, making it the company's biggest launch so far. (AP Photo/Dita Alangkara)

Pick your location

Sci-Tech -

News Sections

News Programs

Features

Browse: