Retailer TJX Settles with FTC Over Consumers’ Data Breach

Discount retailer TJX Cos. Inc. has acquiesced to enhance security of its network of computers in response to FTC's charges of lax security that allowed hackers to commit theft of credit card details of millions of customers, according to the US Federal Trade Commission as reported by REUTERS on March 27, 2008.

In 2007, TJX, based in Framingham, Massachusetts runs over 2,500 stores globally, declared that hackers captured a database containing about 45.7 Million records from the company's computers over a span of two years. Court documents since the announcement, have revealed the amount to be double that number.

In a statement on March 27, 2008, the FTC said that TJX lacked adequate security solutions like wireless defense and firewalls as well as failed to update anti-virus software and patch vulnerabilities. The retail company also failed to insist on strong passwords as well as lacked detection and prevention measures for unauthorized access to computers.

The commission also said that an intruder, who took advantage of these failures, managed to obtain millions of debit and credit payment cards that customers used at the stores of TJX. The hacker also collected nearly 455,000 consumers' personal information, as reported by REUTERS on March 27, 2008.

In the settlement between the TJX companies and the FTC, the retailer must set up a comprehensive security arrangement that would protect the confidentiality, integrity and security of personal data it collects about or from consumers.

More specifically, the FTC has ordered TJX to designate someone to take care of information security, detection of risks to consumers' personal data and installation of safeguards to overcome that risk. The person must also be responsible for preparation of agreements with various service providers, who handle consumers' data, and for adjustment and evaluation of its security policies to meet changes in operation.

In addition, TJX must conduct a third-party audit of the company's security program at every interval of two years over the next twenty years. Also, the company must develop adequate steps to choose and oversee different service providers who handle consumers' personal information received from the retail stores.

Related article: Retailers Still Vulnerable to Attacks on their Wireless Networks

» SPAMfighter News - 4/2/2008