The TJX credit card number theft was inevitable, a report states: The privacy commissioner of Canada released a report on the theft enabled by Wi-Fi of as many as 45m credit-card numbers along with other personal information from TJX, the parent company of TJ Maxx and Marshall's. The commissioner said that too much information was stored for too long, and was "not required for business purposes." Information beyond name, address, and credit card details included driver's license numbers for customers who returned merchandise without a receipt. TJX failed to conform to Canadian privacy laws, the commissioner states. TJX operates a few hundred stores in Canada, and Canadian citizens were affected.
Perhaps most damning, it took two years to convert from "a weak encryption standard to a strong standard," which is a huge ongoing problem for retailers which use point-of-sale systems with only WEP support. Many of these systems are ancient in computer industry terms (predating 2000), and retailers are, frankly, cheap when it comes to front-of-store IT spending. They only upgrade computers when compelled or when a new IT director comes on board and has a bee in his or her bonnet. Or, less often, when efficiency could be provably improved, and the cost is worthwhile.
The report notes, "We are of the view that WEP does not provide adequate protection as it can be defeated relatively easily." Other retailers were still using WEP in 2005, the report explains, but "whether or not other retailers made the move to enhance their data by using better encryption methods, the fact of the matter is that TJX was the organization subject to the breach." That conclusion is partly based on the fact that TJX retained so much "sensitive personal information."
TJX was aware of WEP's weaknesses, they began a conversion process in Oct. 2005, the report says, and only completed their conversion to WPA in Jan. 2007, which was months beyond the change in a set of credit-card processing rules set by industry, too. They're moving beyond that, possibly to 802.1X: "The final conversion to a higher level of encryption will be completed soon." During that period of improving encryption "there is no indication that it segregated its data so that cardholder data could be held on a secure server while it undertook its conversion to WPA."
I'm not sure how this affects any civil cases in process or yet to be filed, but it's fairly critical about TJX's overall approach to security and identity protection. It may be fodder for settlements with governments and individuals.