Hackers stole millions of credit card numbers from discount retailer TJX Cos. by intercepting wireless transfers of customer information at two Miami-area Marshalls stores, according to an eight-month investigation by the Canadian government.
The probe, led by Canadian Privacy Commissioner Jennifer Stoddart, faulted TJX for failing to upgrade its data encryption system by the time the electronic eavesdropping began in July 2005. The break-in ultimately gave hackers undetected access to TJX's central databases for a year and a half, exposing at least 45 million credit and debit cards to potential fraud.
"The company collected too much personal information, kept it too long and relied on weak encryption technology to protect it — putting the privacy of millions of its customers at risk," said Stoddart, who serves as an ombudsman and advocate to protect Canadians' privacy rights. She announced the findings at an information security conference in Montreal on Tuesday.
Credit card associations have declined to disclose total damages from thefts that are believed tied to the TJX breach. But some banks have said they've learned of fraudulent purchases as far away as Hong Kong and Sweden.
Stoddart said the Framingham, Mass., retailer retained customer data years after it should have been purged, including driver's license numbers collected when customers returned merchandise without receipts. Some of the stolen information was from transactions concluded as long ago as 2002.
TJX contested some of the Canadian agency's findings but agreed to upgrade security, including masking driver's license numbers by converting them into unique identification numbers in TJX's systems.
Stoddart found TJX violated a Canadian privacy law and failed to meet retail industry standards for protecting credit card data. She said TJX cooperated with her investigation, so her office didn't pursue a case with Canada's federal courts, which have the power to levy damages.
TJX is the owner of about 2,500 stores, including T.J. Maxx and Marshalls and, in Canada, Winners and HomeSense.
The company and U.S. government officials who are still investigating have yet to publicly disclose how they believe intruders initially broke into TJX's systems.
Stoddart, who investigated the breach along with Alberta Information and Privacy Commissioner Frank Work, said TJX told her office the hacker or hackers apparently entered through a local area wireless network at two Miami-area Marshalls stores.
TJX spokeswoman Sherry Lang didn't dispute that the breach originated in Miami but said TJX and outside experts the company hired haven't concluded whether a wireless system was exploited.
"It's suspected but not yet proven," she said.
She said the company cooperated with Canadian authorities.
"While we respectfully disagree with many of the commissioners' factual findings and legal conclusions, we have chosen to implement their recommendations, having already implemented most of them, with the remainder in process," Lang said.
Retail wireless networks collect and transmit data via radio waves so information about purchases and returns can be shared between cash registers and store computers. Wireless transmissions can be intercepted by antennas, and high-power models can sometimes intercept wireless traffic from miles away.
While such data is typically scrambled, Canadian officials said TJX used an encryption method that was outdated and vulnerable. The investigators said it took TJX two years to convert from Wireless Encryption Protocol to more sophisticated Wi-Fi Protected Access, although many retailers had done so.
Lang said TJX's systems complied with industry standards when the breach started. She said TJX chose in 2005 to make the conversion and needed more time than some retailers because its systems weren't compatible with the WPA standard.
Lang said TJX completed the switch in time to remain in good standing with credit card associations like Visa and Mastercard. She declined to specifically say when TJX finished switching encryption systems.
Mastercard spokesman Chris Harrall declined to comment on whether TJX was in compliance, and a Visa spokesman did not immediately return a phone call.
TJX has said it detected the breach by finding "suspicious software" on its computer systems in December 2006.
On March 28, TJX said at least 45.7 million of its shoppers' cards had been compromised. It has said about three-quarters of the cards had expired by the time of the theft or the stolen information didn't include security code data from the cards' magnetic stripes.
Ten people were convicted in Florida this year for their roles in a ring using stolen TJX customer data to buy gift cards.
They aren't believed to be the hackers who broke into TJX's systems. No arrests have been made in that aspect of the case.
A Ukrainian man recently arrested in Turkey is suspected of selling some of the card numbers stolen in the TJX breach. But U.S. investigators have said they do not believe he was involved in the data breach.