[Dataloss] follow-up: TJX Assents to Audits Of Data-Security System

[security curmudgeon]

---------- Forwarded message ----------
From: Richard M. Smith <rms at computerbytesman.com>

In a press release, TJX, of Framingham, Mass., said it disagreed with the 
allegations in the FTC complaint, noting that prior to the breach, the 
company's data security "was similar to that of many major retailers."

http://online.wsj.com/article/SB120664225435369131.html?mod=todays_us_marketplace


TJX Assents to Audits Of Data-Security System
By JOSEPH PEREIRA
March 28, 2008

TJX <http://online.wsj.com/quotes/main.html?type=djn&symbol=tjx> Cos., 
which last year disclosed a major data-security breach, agreed to have its 
systems that safeguard customers' credit-card data audited every other 
year for the next two decades under a settlement with the Federal Trade 
Commission.

The FTC said the discount retailer failed to take "readily available 
security measures" to protect its customers' data, allowing an intruder to 
gain access to tens of millions of credit cards and the personal 
information of 455,000 consumers.

"Banks have claimed that tens of millions of dollars in fraudulent charges 
have been made on the cards and millions of cards have been cancelled and 
reissued," the FTC said.

Financial penalties aren't part of the agreement. The FTC has yet to 
receive authority from Congress to assess fines, despite multiple 
petitions.

The agency chastised the retailer for not encrypting the data, 
establishing firewalls, using complex passwords or regularly updating 
antivirus software to make it difficult for hackers to steal customers' 
financial data.

[..]