TJX Encryption, Data Retention Details Trickle Out

Written by Evan Schuman
September 26th, 2007

TJX still insists on retaining customer confidential data for 18 months, according to Canadian officials.

TJX is still retaining customer data for far too long?18 months?and for the wrong reasons, although it’s current wireless efforts appear adequate, according to a report issued Tuesday by the Office of the Privacy Commissioner of Canada and the office of the Information and Privacy Commissioner of Alberta.

The report shed light on a few details of the TJX situation, but it didn’t answer the critical questions of how it happened. Reports have focused on a wireless hack and on breaking into a job application kiosk.

The Canadian report made a cursory reference to the wireless effort, but couched it by saying that “TJX informed us that the intruder may have gained entry into the system outside of two stores in Miami, Florida.” If taken literally, that says little, other than wireless access is still one of the main theories of TJX. The report mentioned nothing about any other theories.

The only new detail is the reference to Miami. Prior reports?beginning with a May report in the Wall Street Journal–had fairly consistently placed the point of wireless penetration in St. Paul, Minn.. But with no specifics as to the method used or the data of assault, those details are relatively meaningless.

One interesting observation in the report is an unintended benefit to IT procrastination. ” TJX states that, in Canada, personal information provided in connection with unreceipted returns at (TJX subsidiary Winners Merchant International) stores could not have been accessed in 2005 because WMI stores only began entering this personal information electronically in November 2005,” the report said. “Prior to this date, the names, addresses and telephone numbers of customers making unreceipted merchandise returns at WMI stores were retained in paper form.”

More enlightening were sections that discussed TJX’s wireless and encryption efforts.

On that wireless front, the report confirmed that TJX had been using Wired Equivalent Privacy (WEP) encryption protocol during almost all of the period of the breaches, despite having made a decision in September 2005 to upgrade to the much stronger Wi-Fi Protected Access (WPA) encryption protocols.

But the report has that decision being made and fully deployed much too late. Although it had decided to make the move from WEP to WPA in September 2005, “experts have questioned the use of WEP as a secure protocol” since 2003. “The Institute of Electrical and Electronic Engineers (IEEE) is the organization that originally developed the WEP standard. In June of 2003, the IEEE itself recommended that the wireless encryption standard move from WEP to WPA.”

Even after deciding in September 2005 to move to WPA, the report said, it didn?t complete the rollout until mid-January 2007, which was the exact point when TJX announced to the world the largest retail data breach ever.

The Canadian privacy officials were not pleased with TJX’s encryption efforts. “There were flaws. TJX relied on a weak encryption protocol and failed to convert to a stronger encryption standard within a reasonable period of time,” the report said, adding, “While TJX took the steps to implement a higher level of encryption, there is no indication that it segregated its data so that cardholder data could be held on a secure server while it undertook its conversion to WPA.”

Data retention was another key concern cited in the report. On the plus side, TJX did make “an immediate decision to limit the retention period for data on its Retail Transaction Switch (RTS) servers” and it suspended “the collection of drivers? license and other personal information in return-of-goods transactions,” which had been mandatory at the time of the breach, the report said.

But “TJX also states that it needs to retain credit-card and debit-card transactional data elsewhere in the organization for 18 months. This will allow time for customers to challenge charges, for audit purposes, for charge backs and for meeting its contractual obligations with the card issuers. (TJX) also responded to us that it retained drivers? license information for troubleshooting purposes.”

The report praised a TJX method to try and make the driver’s license less useful to cyberthieves.

“The new process makes use of what is referred to as a cryptographic hashing function in which identification numbers are immediately converted into a new number referred to as a ‘hash value’ thereby rendering actual drivers? license numbers unreadable to any WMI or TJX employee,” the report said. “The hash value would accomplish the goal of establishing a unique numeric identifier. TJX?s return management system could operate in the same way as it presently does since the same identification number could be repeated or transformed into the same hash value every time, but the driver?s license number would no longer exist in TJX?s system and could not be reproduced.”

TJX is also using the hash approach on existing identification number in TJX’s databases, “effectively removing them from the TJX/WMI system permanently. Until the existing numbers have been hashed, TJX has committed to encrypting them.”

But TJX’s intent to use the data for 18 months and for troubleshooting drew a less supportive response. “TJX has not presented a persuasive argument regarding the retention of this information for longer than 18 months, nor any rationale as to why all the information needed to be retained in an identifiable format for such a lengthy time for this purpose,” the report said. “Further, ‘troubleshooting’ is not directly related to the purpose for which the information was collected in the first place.”

Canadian privacy rules “specifically requires that personal information be retained only as long as necessary for the fulfillment of the purposes for which the information was collected?not for a new purpose arising after the fact.”


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.