US retailerTJX
, from which wireless hackers stole the personal and banking
details of 45 million customers, has settled its case with
theFederal Trade
Commission.
The group, which owns the 226-store UK-based TK Maxx chain, will
have to implement comprehensive information security programmes and
obtain audits by independent third-party security professionals
every two years for 20 years.
TJX was the 20th firm charged by the FTC with leaving customer
data unprotected. "By now the message should be clear - companies
that collect sensitive consumer information have a responsibility
to keep it secure," said FTC chairman Deborah Platt Majoras.
"Information security is a priority for the FTC, as it should be
for every business."
The Commission charged TJX with failing to use "reasonable and
appropriate security measures to prevent unauthorised access to
personal information on its computer networks".
It said an intruder had exploited these failures and obtained
details of tens of millions of credit and debit payment cards used
by consumers at TJX's stores, as well as the personal information
of about 455,000 consumers who returned merchandise to the
stores.
Banks have claimed tens of millions of dollars in fraudulent
charges have been made on the cards and millions of cards have had
to cancelled and reissued.
The settlement requires TJX "to establish and maintain a
comprehensive security programme reasonably designed to protect the
security, confidentiality and integrity of personal information it
collects from or about consumers".
TJX sales for the four weeks to 1 March were up 6% to $1.3bn
compared with the same period last year, and also rose in the
quarter after the hack was reported.
In a separate settlement, the FTC required data broker
Reed Elsevier Inc
(REI), Computer Weekly's parent company, and Seisint to
"establish and maintain comprehensive security programmes to
protect personal information that is, in whole or part, non-public
information. The settlements require the programmes to contain
administrative, technical and physical safeguards appropriate to
each company's size, the nature of its activities, and the
sensitivity of the personal information it collects".
The settlements follow an FTC complaint that, among other
security failures, the companies allowed customers to use
easy-to-guess passwords to access Seisint's Accurint databases.
"The databases contained sensitive consumer information,
including driver's licence numbers and social security numbers,"
the FTC said. "Identity thieves exploited these security failures,
and through multiple breaches obtained access to sensitive
information about at least 316,000 consumers from Accurint
databases.
"The identity thieves used the information to activate credit
cards and open new accounts, and made fraudulent purchases on the
cards and new accounts. REI acquired Seisint in late 2004, and the
breaches continued for at least nine months afterward, during which
time REI controlled Seisint's practices."