TJX Update: Learning From The Mistakes

The results of a joint investigation into the TJX security breach by Canada’s National Privacy Commissioner and Alberta’s Privacy Commissioner was released on September 24, 2007.  In it, the Commissioners found that TJX collected unnecessary personal information and also retained personal information for an unnecessarily long period of time.  Further, the Commissioners identified TJX’s failure to expedite a transition from what it knew was a weak encryption protocol to a stronger one as a security flaw.  Finally, the report also suggests that TJX did not monitor its systems “vigorously” enough thereby unnecessarily delaying the discovery of the breach.  While TJX does dispute some of the Commissioners’ findings, the concepts regarding the use of personal information, the necessity of implementing the most-up-to-date and secure encryption protocol and the need to monitor systems for breaches are all viable risk management tips.

You may recall, the last time we reported on TJX, the costs of the breach were estimated at $8 million.  Current reports now indicate the total costs of the TJX breach are $256 Million.