• Credit
• Data Breach
• Fraud
• Identity Theft
• Other News
• Privacy
• Reviews
• Scams
• Tips
• Truston

« Previous Post | Blog Home | Next Post »

FTC reaches settlement with TJX

Posted on Mar 27, 2008 by Tom Fragala

So the settlement is that TJX has to submit to a total of 10 security audits over the course of 20 years. Which is something they would do anyway most likely. Now, the FTC has limited powers under the FTC Act and it isn't a law enforcement agency. Still, I expect a lot of people will see this as a soft slap on the wrist.

In two unrelated Federal Trade Commission actions, discount retailer TJX and data brokers Reed Elsevier and Seisint have agreed to settle charges that each engaged in practices that, taken together, failed to provide reasonable and appropriate security for sensitive consumer information. The settlements will require that the companies implement comprehensive information security programs and obtain audits by independent third-party security professionals every other year for 20 years.

According to the FTC complaint, TJX, with over 2,500 stores worldwide, failed to use reasonable and appropriate security measures to prevent unauthorized access to personal information on its computer networks. An intruder exploited these failures and obtained tens of millions of credit and debit payment cards that consumers used at TJX’s stores, as well as the personal information of approximately 455,000 consumers who returned merchandise to the stores. Banks have claimed that tens of millions of dollars in fraudulent charges have been made on the cards and millions of cards have been cancelled and reissued.

Specifically, the agency charged that TJX:

• Created an unnecessary risk to personal information by storing it on, and transmitting it between and within, its various computer networks in clear text;
• Did not use readily available security measures to limit wireless access to its networks, thereby allowing an intruder to connect wirelessly to its networks without authorization;
• Did not require network administrators and others to use strong passwords or to use different passwords to access different programs, computers, and networks;
• Failed to use readily available security measures, such as firewalls, to limit access among its computers and the Internet; and
• Failed to employ sufficient measures to detect and prevent unauthorized access to computer networks or to conduct security investigations, such as patching or updating anti-virus software.

Read the FTC press release here.