The U.S. Federal Trade Commission has settled data-breach complaints against
retailer TJX and data broker Reed Elsevier, requiring both companies to establish
comprehensive information security programs and submit to biennial data security
audits over the next 20 years.
The settlements, announced Thursday, also require the companies to identify
internal and external risks to the security and confidentiality of personal
information and assess the safeguards already in place. The settlements don't
include fines because the FTC doesn't have authority to levy civil fines in
violations of the FTC Act, which prohibits unfair business practices. The FTC
has asked Congress for the ability to seek civil fines under the FTC Act, an
agency spokeswoman said.
The settlement with TJX, which owns T.J. Maxx, Marshalls and other retailers,
comes in response to a data breach that exposed more than 45 million customer
credit and debit cards. The company reported the 2005 breach in January 2007,
and some banks have alleged that the number of cards affected is 94 million.
Reed Elsevier and subsidiaries LexisNexis and Seisint announced in March 2005
that hackers had stolen passwords, names, addresses, Social Security and drivers
license numbers of about 32,000 customers. Since then, the number of compromised
customers has risen to 316,000.
The FTC has brought a total of 20 complaints against companies that had data
breaches. "By now, the message should be clear: companies that collect
sensitive consumer information have a responsibility to keep it secure,"
FTC Chairman Deborah Platt Majoras said in a statement. "Information security
is a priority for the FTC, as it should be for every business in America."
The agency charged that TJX stored and transmitted personal information in
clear text, did not use "readily available" security measures to limit
wireless access to its networks, did not use strong passwords and did not use
security measures such as firewalls.
The FTC charged that Reed Elsevier allowed customers to use easy-to-guess passwords
to access Seisint's Accurint databases containing sensitive personal information
such as drivers license numbers and Social Security numbers.
Identity thieves exploited these security failures, and used the information
to activate credit cards and open new accounts, the FTC said.
The FTC charged that the company failed to make Seisint user credentials hard
to guess, failed to periodically change user credentials, and failed to suspend
credentials after a number of unsuccessfully log-in attempts. The company also
allowed Seisint customers to store credentials on cookies on their computers,
permitted users to share credentials, did not adequately address vulnerabilities
in Seisint's Web applications and computer network and did not implement "simple,
low-cost and readily available" defense against attacks, the FTC said.
LexisNexis, which acquired Seisint in 2005, has "resolved the issues identified
by the FTC," the company said in a statement. The company is "committed
to maintaining the enhanced security safeguards that we put in place following
the acquisition."
A TJX spokeswoman wasn't immediately available for comment. The company settled
several class-action lawsuits related to the breach in September, with some
customers getting free credit monitoring and credit insurance and another group
getting one or two US$30 vouchers.
"TJX has worked diligently with some of the world's best computer security
firms to further enhance our computer security," Carol Meyrowitz, the company's
president and CEO, said in a statement last month. "We have also continued
to work with law enforcement and government agencies and very much want to see
the cyber criminals who attacked our computer system brought to justice."
Related reading
- The
sad saga of TJX; can it get any worse than this?
- Turkish
police make arrest in TJX data breach case
- TJX
offers settlement as breach cause is exposed
