The Commissioner has published the results of an investigation into the company which found that the unprecedented leak was foreseeable. It found that the company's processes had failed to protect customers, and how simply keeping so much information is "a serious liability".
"The company collected too much personal information, kept it too long and relied on weak encryption technology to protect it – putting the privacy of millions of its customers at risk,” said Privacy Commissioner Jennifer Stoddart.
"Criminal groups actively target credit card numbers and other personal information. A database of millions of credit card numbers is a potential goldmine for fraudsters and it needs to be protected with solid security measures," she said.
“The TJX breach is a dramatic example of how keeping large amounts of sensitive information – particularly information that is not required for business purposes – for a long time can be a serious liability.”
The Commissioner's office conducted an investigation but has not taken TJX to the courts, which it has the power to do. It said that it had made recommendations to TJX during the course of the investigation about how it could improve its systems and that TJX had complied with its requests.
"We are of the view that TJX contravened the [law] concerning the collection and retention of personal information held by it," said the Commissioner's report. "We are pleased, however, that TJX has agreed to implement our recommendations to the extent that [we] consider the matter to be resolved."
The investigation was carried out by the Privacy Commissioner and the Privacy Commissioner of Alberta, a Canadian province with different privacy laws to the national laws. They investigated TJX and its subsidiaries Winners Merchant International and HomeSense, the shops it operates in Canada.
The Commissioner found that TJX had failed to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and Alberta’s Personal Information Protection Act (PIPA).
The company did not manage the risk of a breach; it failed to encrypt data strongly enough, it did not monitor its systems well enough; it did not act in accordance with payment card industry standards; and it collected too much information.
The investigation also found that the company did not even have adequate reason to collect all the information that it did gather.
"The investigation also found the company did not have a reasonable purpose to collect driver’s license and other identification numbers when unreceipted merchandise was returned," said a statement from the Commissioner's office.
"TJX stated it asked for this information as part of a fraud prevention process to identify people frequently returning merchandise. It retained the driver’s license numbers – an extremely valuable piece of information for identity thieves – indefinitely," it said.
The office of the Commissioner said that it would not take action against TJX because the company had already complied with its requests
The Office has told the company to improve its security and privacy practices in specific ways. "[The Commissioners] are pleased the company has agreed to follow these recommendations," said the Office.
The Commissioner is an officer of the Canadian Parliament and has the power to conduct investigations, compel people to give evidence and take action through the courts based on Canada's privacy laws.