You are reading the article Wlan Security Blamed For Tjx Payment Card Breach updated in September 2023 on the website Climeeviet.com. We hope that the information we have shared is helpful to you. If you find the content interesting and meaningful, please share it with your friends and continue to follow and support us for the latest updates. Suggested October 2023 Wlan Security Blamed For Tjx Payment Card Breach
A new report issued by the Office of the Privacy Commissioner of Canada last week cited Winners Merchant International and its parent company, TJX, for failure to satisfy personal information protection standards during a break-in that compromised 45 million payment cards.
Although other factors contributed to the breach, investigators placed much of the blame squarely on WLAN security. “TJX relied on a weak encryption protocol [WEP] and failed to convert to a stronger encryption standard [WPA] within a reasonable period of time,” concludes the report. “The risk of breach was foreseeable … therefore, TJX did not meet the safeguard provisions of either PIPEDA or PIPA.”
Tracking the breach
According to the report, TJX discovered suspicious software on its computer systems in late 2006. TJX suspects that the intrusion started with a WLAN break-in outside two Marshall’s stores in Miami, Florida, during July 2005. At that time, the affected APs were secured with WEP. Although not conclusively proven, it is believed that key crackers were used to penetrate those WLANs, gaining access to store networks.
From there, intruders worked their way through the TJX network into back-end systems – notably Retail Transaction Switch (RTS) servers that process and store customer information related to payment card and merchandise return transactions. Intruders gained access to personal information stored on those systems, including customer names, addresses, telephone numbers, driver’s license numbers, ID numbers, credit card numbers, and expiration dates. The breaches occurred primarily during the second half of 2005 (2H05) and the second half of 2006 (2H06), ending on December 18, 2006.
Nailing the culprits
Investigators also considered whether TJX made reasonable security arrangements to protect the personal information in its custody. “Principle 4.7.1 of PIPEDA stipulates that the security safeguards shall protect personal information against loss or threat, as well as unauthorized access, disclosure, copying, use, or modification,” said the report.
According to the report, physical and operational measures were in place at the time of the breach, but technical measures were faulty. “WEP cannot be relied on as a secure system since the encryption is easily bypassed, and it is not adequate for protecting a network,” said the report.
Strengthening the WLAN
Investigators acknowledged that TJX had launched a WPA upgrade plan back in October 2005. But it did not consider that plan to be timely or sufficient, given the risks involved.
“At the time [of the breach], few retailers had converted to WPA. Yet, we note that there were organizations that had converted to WPA due to risk analyses,” said the report. “Whether or not other retailers made the move to [use] better encryption methods, the fact of the matter is that TJX was the organization subject to the breach.”
Investigators also faulted TJX for failing to segregate cardholder data during its WPA conversion, and for failing to “vigorously monitor” WLAN security threats. “If adequate monitoring was in place, then TJX should have been aware of intrusion prior to December 2006,” said the report.
To address these weaknesses, all TJX stores have now been upgraded to WPA. TJX has also strengthened the monitoring of systems that were compromised by the intruder. “While we respectfully disagree with many of the commissioners’ factual findings and legal conclusions, we have chosen to implement their recommendations, having already implemented most of them, with the remainder in process,” said TJX spokesperson Sherry Lang.
Lessons learned
Companies subject to privacy laws and industry regulations have much to learn from TJX’s very costly mistake, estimated at $256 million in TJX’s 2Q07 earning report.
Today, four years after WPA products became commercially available, many companies are still using WEP. Some use relatively weak “compensating measures” like period WEP key rotation and MAC address filtering to satisfy industry standards like PCI DSS.
The conclusions reached by this Canadian probe demonstrate that, when it comes to security, ignorance is definitely not bliss. While upgrades can certainly take time and money to complete, investigators also expected to see layered security measures like asset management, network segregation, and active monitoring – in other words, indications that the company truly recognized the threat and had taken reasonable steps to mitigate that risk in a timely fashion.
“The company collected too much personal information, kept it too long, and relied on weak encryption technology to protect it — putting the privacy of millions of its customers at risk,” said Canadian Privacy Commissioner Jennifer Stoddart.
This article was first published on chúng tôi
You're reading Wlan Security Blamed For Tjx Payment Card Breach
Update the detailed information about Wlan Security Blamed For Tjx Payment Card Breach on the Climeeviet.com website. We hope the article's content will meet your needs, and we will regularly update the information to provide you with the fastest and most accurate information. Have a great day!