Canadian officials today plan to release the results of an investigation into the massive data security breach at TJX Cos., outlining how hackers entered the company's system and steps to plug future holes.
Jennifer Stoddart, the Privacy Commissioner of Canada, and Frank Work, the Information and Privacy Commissioner of Alberta, will summarize their findings into how intruders breached TJX's computer systems. The presentation is expected to take place at the opening day of the International Conference of Data Protection and Privacy. TJX owns and operates both Winners and HomeSense stores throughout Canada.
The attackers reportedly began their assault on TJX by exploiting Wi-Fi weaknesses at a Marshalls clothing store near St. Paul, Minn. Investigators believe the thieves aimed a telescope-shaped antenna at the store and used a laptop to snatch data transmitted between hand-held price-checking devices, cash registers and the store's computers. The exploit eventually led them into the central database of TJX, where they would repeatedly rob the system of sensitive customer data.
The Canadian report is being issued within days of a tentative settlement reached by TJX in a class-action lawsuit with customers who were victims of the breach. TJX is offering affected customers three years of credit monitoring services and identity theft insurance, according to a public statement released by company president and CEO Carol Meyrowitz.
In the statement, available on the TJX Web site as an "important customer alert", Meyrowitz said the Framingham, Mass.-based retail giant regrets "any difficulties you may have experienced as a result of the criminal attacks on our computer systems announced earlier this year. Importantly, we truly appreciate that you have continued to place your trust in us with your loyalty and patronage."
Meyrowitz insisted that TJX has been working "diligently" with some of the world's best computer security firms to bolster its security while continuing to work with law enforcement and government agencies to bring the attackers to justice.
As part of the settlement, which must still be approved by the courts, customers who were forced to replace their driver's licenses will be reimbursed for the cost, and those whose driver's license or other ID numbers were the same as their Social Security numbers will be compensated for "certain losses from identity theft," TJX said. Customers forced to change bank and credit card information because of the breach will get vouchers that can be redeemed in TJX shops in the U.S., Canada and Puerto Rico. Also, TJX promised to hold a one-time, three-day customer appreciation event with a 15% discount on all merchandise.
"This settlement agreement addresses the different ways customers have told us they have been impacted by the intrusion(s), and we believe that the terms of this settlement are beneficial to our customers," Meyrowitz said.
TJX has spent at least $256 million dealing with the breach, which was first disclosed in January. That's more than 10 times the $25 million figure TJX cited in May. TJX said the expenses went into battening down its computer system and responding to a growing list of investigations and lawsuits against it.
According to TJX's last earnings report, costs related to the data theft in the second quarter bit into its profit by $118 million. Still, TJX said, strong sales continued during the same period, which it cited as proof that customers aren't walking away.
TJX has acknowledged that at least 45.7 million credit and debit cards were stolen over an 18-month period by hackers who managed to penetrate its network. The company gave a tally of the damage in a regulatory filing with the Securities and Exchange Commission (SEC) in March, and also acknowledged that another 455,000 customers who returned merchandise without receipts were robbed of their driver's license numbers and other personal information.