In the wake of the Hannaford disaster, there is more news surrounding TJX. According to an FTC complaint, TJX, with over 2,500 stores worldwide, failed to use reasonable and appropriate security measures to prevent unauthorized access to personal information on its computer networks.
FTC comes out against TJX, gets settlement for security violations.
“By now, the message should be clear: companies that collect sensitive consumer information have a responsibility to keep it secure,” said FTC Chairman Deborah Platt Majoras. “Information security is a priority for the FTC, as it should be for every business in America.”
An intruder exploited flaws in the network design used by TJX, specifically wireless traffic, and obtained tens of millions of credit and debit payment cards that consumers used at TJX’s stores. In addition, the criminals made off with the personal information of approximately 455,000 consumers who returned merchandise to the stores. Banks have claimed that tens of millions of dollars in fraudulent charges have been made on the cards and millions of cards have been cancelled and reissued.
The list of FTC charges against TJX include unnecessary risk to personal information by storing it on, and transmitting it between and within, its various computer networks in clear text, and the lack of available security measures to limit wireless access to its networks. They also charged TJX with failure to use readily available security measures, such as firewalls, to limit access among its computers and the Internet, and failure to employ sufficient measures to detect and prevent unauthorized access to computer networks or to conduct security investigations, such as patching or updating anti-virus software.
The settlement with TJX requires it to establish and maintain a comprehensive security program reasonably designed to protect the security, confidentiality, and integrity of personal information it collects from or about consumers. It also requires TJX to retain independent, third-party security auditors to assess their security programs on a biennial basis for the next 20 years. The auditors will be required to certify that the companies’ security programs meet or exceed the requirements of the FTC’s orders.
There are currently no comments for this article. Be the first to comment!
Advertising
There are currently no comments for this article. Be the first to comment!