FTC reaches data breach settlements with TJX, Reed Elsevier

Share this content:

The FTC has reached settlements with The TJX Companies Inc. and Reed Elsevier after alleging the firms did not provide sufficient security for consumer information.

Under the settlements, the companies must implement new security programs and undergo security audits by third-party professionals every other year for 20 years.

“By now, the message should be clear: companies that collect sensitive consumer information have a responsibility to keep it secure,” FTC chairman Deborah Platt Majoras said in a statement.

She added that the FTC has filed 20 complaints in which the agency has charged companies with security deficiencies in protecting sensitive consumer information.

The companies agreed to similar settlements, which stipulated that they must designate employees to coordinate security programs, identify risks and assess safeguards already in place. Once risks are assessed, the companies must design and implement new safeguards, monitor their effectiveness and put programs into place that show the results of this monitoring. TJX and Reed Elsevier must also select and oversee service providers that handle the personal information they receive.

The FTC's investigation of Reed Elsevier focused on its data brokerage division LexisNexis and 2004 acquisition Seisint. The agency charged Reed Elsevier and Seisint after identity thieves accessed personal information from at least 316,000 Seisint customers. Reed Elsevier was implicated because the breaches continued for nine months after its acquisition of Seisint.

“Under the agreement, LexisNexis agrees to maintain a comprehensive information security program, as confirmed by periodic, third-party audits,” Suzanne D'Agostino, VP of corporate communications for LexisNexis, said in a statement. “We have resolved the issues identified by the FTC, which relate to data breaches previously disclosed in 2005, and are committed to maintaining the enhanced security safeguards that we put in place following the acquisition.”

Charges stated that Seisint and Reed Elsevier allowed customers to use easy-to-guess passwords for database access and did not require periodic changes of user credentials or suspend credentials after multiple unsuccessful login attempts. Other charges included failure to require customers to encrypt or protect credentials, allowing customers to store credentials in vulnerable formats, and allowing users to share credentials and create new credentials with no verification of the new identities. Seisint and Reed Elsevier also failed to implement readily available defenses or adequately assess the vulnerability of its system to such attacks, according to the charges

Complaints against TJX were filed when an intruder accessed personal information on its stores' computer networks, stealing tens of millions of debit and credit card numbers and the personal information of nearly half a million TJX shoppers.

The FTC said that TJX created unnecessary risk to the information by storing and transmitting it in clear text and by not using readily available measures to limit wireless access to its networks. TJX was also charged because it allegedly did not require workers to use strong passwords to access its data, did not use firewalls and other security measures to limit access to its computers and did not have measure in place to detect and prevent unauthorized access to customer data.

TJX could not be reached for comment as of press time.

Thirty-nine state attorneys general assisted the FTC in its investigation of TJX. The Hayward, CA, Police Department and Rapid Enforcement Allied Computer Team Task Force aided in the investigation of Seisint and Reed Elsevier.


Next Article in Data/Analytics

Sign up to our newsletters

Company of the Week

We recently were named B2B Magazine's Direct Marketing Agency of the Year, and with good reason: We make real, measureable, positive change happen for our clients. A full-service agency founded in 1974, Bader Rutter expertly helps you get the right message to the right audience at the right time through the right channels. As we engage our clients' audiences along their journey, direct marketing (email, direct mail, phone, SMS) and behavioral marketing (SEM, retargeting, contextual) channels deliver information relevant to the needs of each stage. We are experts at implementing and leveraging marketing technologies such as CRM and marketing automation in order to synchronize sales and marketing communications. Our team of architects and activators plan, execute, measure and adjust in real time to ensure the strategy is working as needed and change things if it's not.

Find out more here »

Career Center

Check out hundreds of exciting professional opportunities available on DMN's Career Center.  
Explore careers in digital marketing, sales, eCommerce, marketing communications, IT, data strategies, and much more. And don't forget to update your resume so employers can contact you privately about job opportunities.

>>Click Here

Relive the 2017 Marketing Hall of Femme

Click the image above