TJX collected and stored unnecessary and excessive amounts of personal information for too long and relied on outdated encryption technology, before it revealed its breach, according to a Canadian privacy report.
The report, the result of an eight-month investigation by the Canadian government, also indicates hackers gained initial access into the central database through insecure wireless connections at two Marshalls locations in Miami.
The city is the hometown of a 19-year-old man who recently pleaded guilty to leading a fraud ring that used stolen TJX data to make purchases throughout Florida.
The report, penned by the Office of the Privacy Commissioner of Canada, contradicts a widely accepted belief, first reported by The Wall Street Journal earlier this year, that the attackers made their initial intrusion through the wireless connection of a Minneapolis Marshalls.
"The information that we have from TJX is that the hackers gained entry into the Miami stores," Elizabeth Dunham, a director in the Office of the Privacy Commissioner, said on a conference call announcing the findings.
TJX also was in violation of the Payment Card Industry standard when thieves stole some 45.7 million credit card and driver's license numbers over a two-year period, the report said.
Frank Work, information and privacy commissioner of Alberta, whose office assisted in the investigation, said TJX relied on weak encryption technology.
The company was running a wireless network protected by the Wired Equivalent Privacy (WEP) industry standard, which since has been superseded by the more robust Wi-Fi Protected Access (WPA) guidelines. Work said TJX disputes the time it shifted to the WPA protocol.
The report also found that TJX deployed poor monitoring technology, as the company was unable to track the footprints of the thieves who moved in and out of the system for two years.
Brian Cleary, vice president of marketing at enterprise access governance provider Aveksa, said that TJX appears to have lacked proper access control policies.
"I view it as a violation of most privileged access," said Cleary, who listened to the call. "How did they get that fine grain entitlement access and not have it revoked?"
A TJX spokeswoman did not return a call for comment, but Dunham said TJX has accepted all of the report's recommendations.