TJX Encryption, Data Retention Details Trickle Out

TJX still insists on retaining customer confidential data for 18 months, according to Canadian officials.

TJX is still retaining customer data for far too long?18 months?and for the wrong reasons, although it's current wireless efforts appear adequate, according to a report issued Tuesday by the Office of the Privacy Commissioner of Canada and the office of the Information and Privacy Commissioner of Alberta.

The report shed light on a few details of the TJX situation, but it didn't answer the critical questions of how it happened. Reports have focused on a wireless hack and on breaking into a job application kiosk.

The Canadian report made a cursory reference to the wireless effort, but couched it by saying that "TJX informed us that the intruder may have gained entry into the system outside of two stores in Miami, Florida." If taken literally, that says little, other than wireless access is still one of the main theories of TJX. The report mentioned nothing about any other theories.

The only new detail is the reference to Miami. Prior reports?beginning with a May report in the Wall Street Journal--had fairly consistently placed the point of wireless penetration in St. Paul, Minn.. But with no specifics as to the method used or the data of assault, those details are relatively meaningless.

One interesting observation in the report is an unintended benefit to IT procrastination. " TJX states that, in Canada, personal information provided in connection with unreceipted returns at (TJX subsidiary Winners Merchant International) stores could not have been accessed in 2005 because WMI stores only began entering this personal information electronically in November 2005," the report said. "Prior to this date, the names, addresses and telephone numbers of customers making unreceipted merchandise returns at WMI stores were retained in paper form."

More enlightening were sections that discussed TJX's wireless and encryption efforts.

On that wireless front, the report confirmed that TJX had been using Wired Equivalent Privacy (WEP) encryption protocol during almost all of the period of the breaches, despite having made a decision in September 2005 to upgrade to the much stronger Wi-Fi Protected Access (WPA) encryption protocols.

But the report has that decision being made and fully deployed much too late. Although it had decided to make the move from WEP to WPA in September 2005, "experts have questioned the use of WEP as a secure protocol" since 2003. "The Institute of Electrical and Electronic Engineers (IEEE) is the organization that originally developed the WEP standard. In June of 2003, the IEEE itself recommended that the wireless encryption standard move from WEP to WPA."

Even after deciding in September 2005 to move to WPA, the report said, it didn?t complete the rollout until mid-January 2007, which was the exact point when TJX announced to the world the largest retail data breach ever.

The Canadian privacy officials were not pleased with TJX's encryption efforts. "There were flaws. TJX relied on a weak encryption protocol and failed to convert to a stronger encryption standard within a reasonable period of time," the report said, adding, "While TJX took the steps to implement a higher level of encryption, there is no indication that it segregated its data so that cardholder data could be held on a secure server while it undertook its conversion to WPA."

Data retention was another key concern cited in the report. On the plus side, TJX did make "an immediate decision to limit the retention period for data on its Retail Transaction Switch (RTS) servers" and it suspended "the collection of drivers? license and other personal information in return-of-goods transactions," which had been mandatory at the time of the breach, the report said.

But "TJX also states that it needs to retain credit-card and debit-card transactional data elsewhere in the organization for 18 months. This will allow time for customers to challenge charges, for audit purposes, for charge backs and for meeting its contractual obligations with the card issuers. (TJX) also responded to us that it retained drivers? license information for troubleshooting purposes."

The report praised a TJX method to try and make the driver's license less useful to cyberthieves.

"The new process makes use of what is referred to as a cryptographic hashing function in which identification numbers are immediately converted into a new number referred to as a 'hash value' thereby rendering actual drivers? license numbers unreadable to any WMI or TJX employee," the report said. "The hash value would accomplish the goal of establishing a unique numeric identifier. TJX?s return management system could operate in the same way as it presently does since the same identification number could be repeated or transformed into the same hash value every time, but the driver?s license number would no longer exist in TJX?s system and could not be reproduced."

TJX is also using the hash approach on existing identification number in TJX's databases, "effectively removing them from the TJX/WMI system permanently. Until the existing numbers have been hashed, TJX has committed to encrypting them."

But TJX's intent to use the data for 18 months and for troubleshooting drew a less supportive response. "TJX has not presented a persuasive argument regarding the retention of this information for longer than 18 months, nor any rationale as to why all the information needed to be retained in an identifiable format for such a lengthy time for this purpose," the report said. "Further, 'troubleshooting' is not directly related to the purpose for which the information was collected in the first place."

Canadian privacy rules "specifically requires that personal information be retained only as long as necessary for the fulfillment of the purposes for which the information was collected?not for a new purpose arising after the fact."