TJX data leak gets worse
Turns out that the data compromise started as early as June 2005, and involved transaction details as early as 2003. Leaked data included drivers license info for people making returns.
One of the many lessons here is that one should not collect or keep data they really don’t need. The starting position should be that nothing is collected in the first place without a supportable need. Business must take a cold, hard look at the info they collect and keep, and ask why they need it.
Take drivers license info on returns, for example. Canadian privacy decisions have said that its OK to ask for a drivers license when someone returns an item as a fraud prevention measure – but its not OK to record that info. After all, once the clerk decides that the person returning the item is who they say they are, what’s the point of recording the license details? The Alberta privacy commissioner did a good analysis of the issue.
Another example is credit and debit card information. Once a transaction is approved by the debit/credit card company – why would one keep any details about the card or cardholder?
Read about the latest TJX revelation on The Canadian Privacy law blog
Read an earlier article of mine on the Alberta license & return issue
