14 DAY TRIAL // Retail Giant TJX had suffered a severe security breach in which 45 million customers' data had been stolen. A huge operation! And as if things weren't bad enough, the Office of the Privacy Commissioner of Canada explains in a report that this breach was predictable. I don't think I need to say more - you've got the idea - the case was severe!
You may read the commissioner's findings by clicking this link. Should you not be familiar with the case, let me tell you that TJX was sitting on a huge pile of data. Some will ask what's wrong with that and argument that many more firms do the same. Well, there is nothing to be condemned about that, but they did not properly encrypt the data - now that was an issue! When you work with a lot of data, you have to protect it!
Here's what a small part of the report reads:
"In summary, the personal information relevant to this investigation consists of: -Credit card numbers, including expiration dates, used by customers of WMI. This information was collected and retained in order to process payments. -Names, addresses and telephone numbers of customers of WMI entered electronically after November 2005; and, -Canadian drivers' license and other provincial identification numbers, and names and addresses used by customers of WMI. The information in the last two bullets was collected to prevent fraud. "
So, now you got an idea of what they had been storing, and wait, just take a look at what the report reads further: "TJX had an encryption protocol in place (WEP) that was in the process of being converted to WPA at the time of the breach. We are of the view that WEP does not provide adequate protection as it can be defeated relatively easily. It appears that the intruder may have accessed the RTS servers and client data due to a weak or inadequate encryption standard. WEP cannot be relied on as a secure system since the encryption is easily bypassed, and it is not adequate for protecting a network. We understand that TJX was in the process of changing to a higher encryption standard, and we acknowledge that a conversion of this nature requires lead time for budget, planning and implementation."
So, this just proves to us, AGAIN, that some companies get breached because they don't treat cyber-security the way they should. It's not hacker skill, it's users' lack of interest!