Wireless Systems Blamed in TJX Theft

Framingham, Mass., Hackers stole millions of credit-card numbers from discount retailer TJX Cos., by intercepting wireless transfers of customer information from two Miami-area Marshalls stores, according to an eight-month investigation by the Canadian government..

The investigation, led by Canadian Privacy Commissioner Jennifer Stoddart, faulted TJX for failing to upgrade its data-encryption system, and retaining years-old customer data that should have been quickly purged from TJX's data systems. TJX disclosed the breach last January, but the company and U.S. government investigators have not publicly disclosed how they believe intruders initially broke into TJX's systems.

"The company collected too much personal information, kept it too long and relied on weak encryption technology to protect it—putting the privacy of millions of its customers at risk," said Stoddart, who announced the findings at an information-security conference in Montreal on Tuesday.

TJX spokeswoman Sherry Lang said her company worked collaboratively with Canadian authorities, and would adopt their recommendations to upgrade its information security.

"While we respectfully disagree with many of the commissioners' factual findings and legal conclusions, we have chosen to implement their recommendations, having already implemented most of them, with the remainder in process," she said.

The recommendations include taking steps to mask driver's license information collected when customers return merchandise without receipts.

Stoddart, who investigated the breach along with Alberta Information and Privacy Commissioner Frank Work, said her office learned from TJX that the hacker or hackers' entry point was a local area wireless network at two Miami area Marshalls stores.