Canada's No-fly list takes to the skies

Canada's new no-fly list is ready to take off:

CNW Group

Air security strengthened - Passenger Protect ready to take flight

OTTAWA, May 11 /CNW Telbec/ - The Honourable Lawrence Cannon, Minister of
Transport, Infrastructure and Communities, together with the Honourable
Stockwell Day, Minister of Public Safety, today announced new regulations that
will strengthen air passenger security screening. Once implemented, new
measures under a program known as Passenger Protect will prevent persons who
pose an immediate threat to aviation security from boarding a commercial
aircraft.

This made-in-Canada program was developed to provide an additional layer
of security for the aviation system and to enhance public safety in a way that
complies with the Canadian Charter of Rights and Freedoms and federal privacy
legislation.

"Canadians want to fly secure, and Passenger Protect is a significant
step forward. We must remember that Canada is not immune to the threat of
terrorism and we must remain vigilant," said Minister Cannon. "Passenger
Protect will not only make Canada's aviation system more secure, it will also
help keep the world's skies safe by reaching beyond Canadian borders to screen
everyone getting on a flight to Canada."

Under the new program, the Government of Canada is maintaining a list of
specified persons who may pose an immediate threat to aviation security should
they attempt to board a flight. Air carriers will be able to screen passengers
against the specified persons list through a secure online system. If the air
carrier identifies a person as a possible match with an entry on the list, the
air carrier will contact Transport Canada to confirm the passenger's identity,
and obtain a decision whether or not to allow him or her to board the flight.
"Canada has one of the best aviation systems in the world and is always
looking for ways to increase the safety and security of the travelling
public,"said Minister Day.

The Government of Canada has held discussions with airlines, airports,
and labour representatives, as well as civil liberties and ethno-cultural
groups in developing Passenger Protect, to create a program that enhances
security, respects the needs and realities of the aviation industry and
protects the rights of Canadians. As part of the consultations, Transport
Canada has established a reconsideration process to provide a non-judicial,
efficient way for any members of the public who have been denied boarding to
have their cases reviewed by persons independent of those who made the
original recommendation.

Transport Canada has worked closely with the Office of the Privacy
Commissioner in order to further strengthen the privacy provisions of the
program. Implementation for flights within Canada and international flights to
and from Canada will begin on June 18, 2007.

As of this date, new Identity Screening Regulations will require air
passengers within Canada who appear to be 12 years of age or older to present
one piece of government-issued photo identification (ID) that shows name, date
of birth and gender or two pieces of government-issued ID - one of which shows
name, date of birth and gender - before boarding an aircraft. The boarding
pass provided by the air carrier must match the name on the ID.

Canadians will not need a passport for travel within Canada but rather
can present a range of government-issued ID to the air carriers including a
health card, a birth certificate, a driver's licence and a social insurance
card. Current requirements for international travel will remain in place.
This practice is consistent with procedures currently in use by most
major airlines, and will allow the air carrier and Transport Canada to confirm
the identity of a passenger who is a possible match with an entry on the
specified persons list.

These proposed regulations were first published in the Canada Gazette,
Part I on October 28, 2006, after which a 75-day period followed to enable
interested parties and the public to provide comments.

The final regulations will be published in the Canada Gazette, Part II on
May 16, 2007.

A backgrounder with more information on the Passenger Protect program and
the new Identity Screening Regulations is attached.

<<
-------------------------------------------------------------------------

BACKGROUNDER

-------------------------------------------------------------------------

PASSENGER PROTECT PROGRAM

-------------------------

The Government of Canada began consulting with industry on passenger
assessment in May 2004, and expanded consultations on a program proposal for
Passenger Protect in the summer of 2005. Consultations with air carriers,
airports, labour representatives, civil liberties and ethno-cultural groups as
well as the Office of the Privacy Commissioner were essential to the
successful design and implementation of a program that enhances security,
respects the needs and realities of the aviation industry, and ensures that
the privacy and human rights of Canadians are protected.

The Passenger Protect program adds another layer of security to Canada's
aviation system to help address potential threats. Terrorist groups continue
to target civil aviation, and seek means to defeat existing safeguards and
measures.

Under the program, the Government of Canada is maintaining a list with the
name, date of birth and gender of each specified person that will be provided
to airlines in secure form. The airlines will compare the names of individuals
intending to board flights with the names on the specified persons list, and
will verify with the individual's government-issued identification when there
is a name match. Identification will be verified in person at the airport
check-in counter. When the airline verifies that an individual matches in
name, date of birth and gender with someone on the list, the airline will be
required to inform Transport Canada.

A Transport Canada officer will be on duty 24 hours a day, every day, to
receive calls from airlines when they have a potential match with a specified
person on the list. Transport Canada will verify information with the airline,
confirm whether the individual poses an immediate threat to aviation security
and inform the airline, if required, that the individual is not permitted to
board the flight. The Royal Canadian Mounted Police (RCMP) would be notified
immediately in the event of a match, and police of jurisdiction at the airport
would be informed and take action as required.

The Passenger Protect program will be implemented for Canadian domestic
flights and international flights to and from Canada on June 18, 2007.
Creating the Specified Persons List

The Minister of Transport, Infrastructure and Communities has the
authority under the Aeronautics Act, to specify an individual who is a threat
to aviation security and to require airlines to provide information about the
specified person.

A Transport Canada-led Advisory Group will assess individuals on a
case-by-case basis using information provided by the Canadian Security
Intelligence Service and the RCMP, and will make recommendations to the
Minister of Transport, Infrastructure and Communities concerning their
designation as specified persons or the removal of that designation. The
Advisory Group includes a senior officer from the Canadian Security
Intelligence Service and a senior officer from the RCMP (as advised by the
Department of Justice), with input from representatives from other Canadian
government departments and agencies.

Individuals are added to the specified persons list based on their
actions, which lead to a determination that they may pose an immediate threat
to aviation security, should they attempt to board an aircraft. Guidelines in
making that determination are focused on aviation security, and may include:

• an individual who is or has been involved in a terrorist group, and
  who, it can reasonably be suspected, will endanger the security of any
  aircraft or aerodrome or the safety of the public, passengers or crew
  members;
  
• an individual who has been convicted of one or more serious and
  life-threatening crimes against aviation security; and
  
• an individual who has been convicted of one or more serious and
  life-threatening offences and who may attack or harm an air carrier,
  passengers or crew members.

Identity Screening Regulations

As of June 18th 2007, new Identity Screening Regulations will require
airlines to screen each person's name against the specified persons list
before issuing a boarding pass, for any person who appears to be 12 years of
age or older. The regulations take into account the various ways in which the
boarding pass may be obtained: at a kiosk, through the Internet, or at an
airport check-in counter.

Where there is check-in via Internet or kiosks, airlines will not allow
printing of the boarding pass when there is a name match with the specified
persons list. Passengers refused a boarding pass at a kiosk or through the
Internet will be directed to the airline agent for in-person verification of
government-issued identification (ID). ID verification will determine whether
the name, date of birth and gender match those of a listed person.

The regulations also require air carriers to screen individuals at the
boarding gate by comparing the name on government-issued ID with the name on
the boarding pass. If the name on the ID is not the same as the name on the
boarding pass, the air carrier will be required to check the name on the ID
against the list.

Transport Canada will work with air carriers to provide training for
agents and staff who will be involved in implementing the ID verification
requirement, and establish procedures that respect the rights of passengers.

The ID requirement under the Passenger Protect program is for one piece of
valid government-issued photo ID that shows name, date of birth and gender,
such as a driver's licence or a passport, or two pieces of valid
government-issued ID, at least one of which shows name, date of birth and
gender, such as a birth certificate. The verification of passengers' ID is
already a practice followed by most major air carriers in Canada.

The regulations will be published in the Canada Gazette, Part II on
May 16, 2007.

Reconsideration and Appeals

The Passenger Protect program also includes a reconsideration process for
individuals who wish to contest the denial of boarding. An individual who has
been denied boarding under the Passenger Protect program will be able to apply
to Transport Canada's Office of Reconsideration (OOR), which may arrange for
an independent assessment of the case and make a recommendation. The goal is
to provide a non-judicial, efficient mechanism for any member of the public to
have their case reviewed by persons independent of those who made the original
recommendation to the Minister. Individuals have the further option of making
application to Federal Court for judicial review.
Privacy and Human Rights

The protection of privacy and human rights is a core element of the
Passenger Protect program. In developing the program, Transport Canada worked
with stakeholders and consulted with civil liberties and ethno-cultural
groups, and the Office of the Privacy Commissioner on privacy aspects.

A summary of the Privacy Impact Assessment conducted on the Passenger
Protect program is available on the Transport Canada website at
www.tc.gc.ca/vigilance/sep/passenger_protect/executive_summary/menu.htm.
In addition, the Office of the Privacy Commissioner of Canada posed a
series of questions to Transport Canada about the Passenger Protect program in
August 2005. The questions and the answers shed light on the privacy
protection features of the program and are available on the Web at
www.tc.gc.ca/vigilance/sep/passenger_protect/Q&A/menu.htm.

More details on the Passenger Protect program and the new Identity
Screening Regulations are available on Transport Canada's website at
www.tc.gc.ca/vigilance/sep/passenger_protect/menu.htm.

May 2007

WSJ sheds light on TJX breach methods

David Canton has just posted a link to a very interesting and insightful article on the TJX/Winners breach, which sheds light on how the scammers were able to penetrate the TJX system to take approximately TWO HUNDRED MILLION credit card numbers.

How Credit-Card Data Went Out Wireless Door - WSJ.com

... When wireless data networks exploded in popularity starting around 2000, the data was largely shielded by a flawed encoding system called Wired Equivalent Privacy, or WEP, that was quickly pierced. The danger became evident as soon as 2001, when security experts issued warnings that they were able to crack the encryption systems of several major retailers.

By 2003, the wireless industry was offering a more secure system called Wi-Fi Protected Access or WPA, with more complex encryption. Many merchants beefed up their security, but others including TJX were slower to make the change. An auditor later found the company also failed to install firewalls and data encryption on many of its computers using the wireless network, and didn't properly install another layer of security software it had bought. The company declined to comment on its security measures.

The hackers in Minnesota took advantage starting in July 2005. Though their identities aren't known, their operation has the hallmarks of gangs made up of Romanian hackers and members of Russian organized crime groups that also are suspected in at least two other U.S. cases over the past two years, security experts say. Investigators say these gangs are known for scoping out the least secure targets and being methodical in their intrusions, in contrast with hacker groups known in the trade as "Bonnie and Clydes" who often enter and exit quickly and clumsily, sometimes strewing clues behind them.

The TJX hackers did leave some electronic footprints that show most of their break-ins were done during peak sales periods to capture lots of data, according to investigators. They first tapped into data transmitted by hand-held equipment that stores use to communicate price markdowns and to manage inventory. "It was as easy as breaking into a house through a side window that was wide open," according to one person familiar with TJX's internal probe. The devices communicate with computers in store cash registers as well as routers that transmit certain housekeeping data.

After they used that data to crack the encryption code the hackers digitally eavesdropped on employees logging into TJX's central database in Framingham and stole one or more user names and passwords, investigators believe. With that information, they set up their own accounts in the TJX system and collected transaction data including credit-card numbers into about 100 large files for their own access. They were able to go into the TJX system remotely from any computer on the Internet, probers say....

Credit-card company facing liquidation

I am surprised this hasn't received more coverage. Cardsystems is facing bankruptcy as a result of the very high profile data breach in 2005. See: Credit-card company facing liquidation | www.azstarnet.com ®.

This time it's personal

In addition to my weekly New Yorker magazine, today's mail contained a plain envelope with a PO Box return address. From a mile away, I could tell it was a credit card. Like many people recently, my bank has sent me a new credit card in the mail because I shopped at Winners. According to the letter, there is reason to believe my credit card was compromised in the Winners/TJX breach. The form letter tells me that there's been no evidence of fraudulent activity, but this is just in case.

When the TJX story broke, I attempted to contact their privacy officer through the address on the website. What I was looking for was a fax number becuase I did not want to communicate with them, particularly about my credit card, via e-mail. That was months ago and no contact and no reply. Not impressive.

I just went to the Winners website and tried to check out their IMPORTANT CUSTOMER ALERT, which connects (or rather doesn't connect) to a TJX server:

Less impressive.

Going directly to the TJX website provided a working link:

As TJX’s President and Chief Executive Officer, I want our customers to know how much I personally regret any difficulties you may experience as a result of the unauthorized intrusion into our computer systems. We are working with leading computer security firms to investigate the problem and enhance our computer security in order to protect our customers’ data. We are dedicating significant resources to evaluate the issue. Given the nature of the breach, the size and international scope of our operations and the complexity of the way credit card transactions are processed, the evaluation is, by necessity, taking time.

Since we learned of the probability of a breach in mid-December 2006, we have cooperated with law enforcement as well as with the banks and credit card companies that process our customer transactions. Further, we have established customer helplines in three countries and are making available a great deal of helpful information on our company websites.

We are committed to continue to address the situation and to provide periodic updates as we learn more. We have reported updated information in a press release which you will find below.

Additionally, I encourage you to access the information we are providing on this website to learn more about steps you can take to protect your credit and debit card information, or to contact our special customer helplines.

With the help of computer security experts, we have strengthened the security of our computer systems and we believe customers should feel safe shopping in our stores. We value the trust our customers place in us and again, I’d like you to know that we sincerely apologize for any difficulties you may be caused. Thank you for continuing to shop at our stores and for your years of loyal patronage.

Respectfully,

Carol Meyrowitz

President and Chief Executive Officer

Those affected may seek some perverse comfort that TJX may face significant penalties under the PCI Data Security Standard.

It will be interesting (but certainly not remedial in any way) to see what the Privacy Commissioner concludes about this investigation.

T.J. Maxx probe finds broader hacking

This isn't good:

T.J. Maxx probe finds broader hacking | Tech News on ZDNet

The TJX Companies, the discount retailer best known for its T.J. Maxx and Marshalls clothing stores, said Wednesday that its hacking investigation has uncovered more extensive exposure of credit and debit card data than it previously believed.

Information on millions of TJX customers may have been exposed in the long-running attack, which was made public last month. It affects customers of any of TJX store in the U.S., Canada or Puerto Rico, with the exception of its Bob's Stores chain.

The breach of credit and debit card data was initially thought to have lasted from May 2006 to January. However, TJX said Wednesday that it now believes those computer systems were first compromised in July 2005.

TJX said credit and debit card data from January 2003 through June 2004 was compromised. The company previously said that only 2003 data may have been accessed. According to TJX, however, some of the card information from September 2003 through June 2004 was masked at the time of the transactions.

The company added that names and addresses apparently were not included with the card information, that debit card PIN numbers are not believed to have been vulnerable, and that data from transactions made with debit cards issued by Canadian banks likely were not vulnerable.

TJX also found that there was evidence of intrusion into the system that handles customer transactions for its T.K. Maxx stores in the United Kingdom and Ireland, but that there has been no confirmation that anyone actually accessed that data.

In addition to these exposures, TJX said there were more breaches of driver's license information than it previously thought. These included the license numbers, names and addresses of customers making merchandise returns in the U.S. and Puerto Rico locations of T.J. Maxx, Marshalls and HomeGoods stores. That compromised data, according to TJX, is restricted to returns without receipts that took place in the last four months of 2003, as well as in May 2004 and June 2004.

TJX plans to notify customers whose driver's license data may have been accessed.

The company, which is continuing its investigation, encourages customers to check their credit-card and bank-account records and look for further updates on its website.

Incident: Club Monaco associated with privacy breach

Fashion retailer Club Monaco is now associated with a third information breach, though the details are very sketchy. From the Globe & Mail:

globeandmail.com : globeinvestor.com : Clothing chain tipped to security breach:

Fashion retailer Club Monaco has called in the RCMP to investigate a possible privacy breach involving customers' credit card numbers -- the third time in the past week that a major Canadian company has been plagued by security issues.

Club Monaco confirmed it was alerted to the problem by a credit card processor late last year and said it immediately hired a forensic firm to help the Mounties with their probe. Banks and other card issuers were also notified of the problem, and have been combing client records for any signs of fraud, according to sources in the financial community.

Investigators have found no evidence to suggest a breach occurred, a spokeswoman for the clothing chain said yesterday, adding that the data under investigation do not include names, addresses or phone numbers. She said the company has not determined how many customers might be affected.

'We've been told through the report thus far that our systems are very secure,' Wendy Smith said. 'It's an active investigation.'...

Inadequate security safeguards led to TJX breach, Commissioners say

The federal Privacy Commissioner and the Information and Privacy Commissioner of Canada have released their reports on the TJX/Winners breach (Report of Findings (September 25, 2007) Privacy Commissioner of Canada and Investigation Report P2007-IR-006). The moral of the story: don't collect information you don't need, don't keep it any longer than you need and properly secure the information you have.

Here's the media release:

News Release: Inadequate security safeguards led to TJX breach, Commissioners say (September 25, 2007) - Privacy Commissioner of Canada

Inadequate security safeguards led to TJX breach, Commissioners say

September 25, 2007 –The risk of a breach of sensitive personal information held by TJX Companies Inc., the US parent company of Winners and HomeSense stores in Canada, was foreseeable, but the company failed to put in place adequate security safeguards, an investigation by the Privacy Commissioners of Canada and Alberta has found.

“The company collected too much personal information, kept it too long and relied on weak encryption technology to protect it – putting the privacy of millions of its customers at risk,” says Privacy Commissioner of Canada Jennifer Stoddart.

“Criminal groups actively target credit card numbers and other personal information,” says Commissioner Stoddart. “A database of millions of credit card numbers is a potential goldmine for fraudsters and it needs to be protected with solid security measures.

“The TJX breach is a dramatic example of how keeping large amounts of sensitive information – particularly information that is not required for business purposes – for a long time can be a serious liability.”

The joint investigation by the two Commissioners was launched after TJX disclosed in January that its computer system had been breached. This breach involved millions of credit and debit card numbers as well as other personal information, such as driver’s license numbers collected when customers returned merchandise without receipts.

“This case is a wake-up call for all retailers. They must collect only the personal information necessary for a transaction,” says Frank Work, the Information and Privacy Commissioner of Alberta.

“One positive outcome of this extremely unfortunate breach is that TJX worked cooperatively with us to develop a new process for dealing with unreceipted returns which strikes an appropriate balance between privacy rights and a retailer’s need to take steps to prevent fraud.”

TJX believes the intruder may have initially gained to customer information via the wireless local area networks at two of its US stores. Customer information was stolen from mid-2005 through December 2006, a TJX investigation found. Some stolen information involved transactions dating back to 2002.

Stolen information included credit card account data as well as data collected when customers returned merchandise without a receipt (drivers’ license numbers, names and addresses).

The investigation concluded TJX did not comply with the federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), and Alberta’s Personal Information Protection Act (PIPA). The investigation found:

• TJX did not properly manage the risk of an intrusion against the amount of customer data that it collected.
  
• The company failed to act quickly in converting from a weak encryption standard to a stronger standard. The conversion process took two years to complete, during which time the breach occurred.
  
• TJX did not meet its duty to monitor its computer systems vigorously. An adequate monitoring system should have alerted the company of an intrusion prior to December 2006.
  
• The company did not adhere to the requirements of the Payment Card Industry Data Security Standard, which was developed to address the growing problem of credit card data theft.

The investigation also found the company did not have a reasonable purpose to collect driver’s license and other identification numbers when unreceipted merchandise was returned. TJX stated it asked for this information as part of a fraud prevention process to identify people frequently returning merchandise. It retained the driver’s license numbers – an extremely valuable piece of information for identity thieves – indefinitely.

In response to these concerns, TJX proposed a new process to address fraudulent returns. Store staff will continue to ask for identification, however, information such as a driver’s license number will instantly be converted into a unique identifying number when it is keyed into the point-of-sale system. This will allow the company to track unreceipted merchandise returns without keeping original driver’s license numbers in its system.

The Commissioners called on TJX to take a number of steps to improve its security measures and privacy practices and are pleased the company has agreed to follow these recommendations.

Commissioner Stoddart says the Winners/HomeSense breach illustrates the need to get security right in the first place to avoid the potentially huge costs of mopping up after a security breach. “Organizations need to ensure they have multiple layers of security and that they keep up with advances in security technologies. The cost of failing to do this can be enormous – not only to a company, but to its customers,” she says, adding that a data breach can also have a major impact on credit card companies, banks, law enforcement agencies and regulatory bodies.

A summary of the findings in the case is available on the Commissioners’ websites.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.

The Information and Privacy Commissioner of Alberta has a mandate to promote a society where personal privacy is respected and public bodies are open and accountable.

Incidents: Rash of info breaches with Canadian connections

This has been a crazy week for privacy breaches in Canada and the week isn't over yet. I can't recall the last time I had so many media inquiries.

In addition to those below, I've been asked about two other incidents that will likely break in the next few days. (Since I heard about them from journalists, it would be rude to scoop them on the blog.)

Today we've heard of a significant announcement made by Talvest Mutual Funds

Talvest Mutual Funds issues statement regarding missing back up computer file

MONTREAL, Jan. 18 /CNW/ - Talvest Mutual Funds today announced that a
backup computer file containing client information has recently gone missing
while in transit between its offices.

The backup file contained information relating to the process used to
open and administer approximately 470,000 current and former Talvest client
accounts and may have included client names, addresses, signatures, date of
birth, bank account numbers, beneficiary information and / or Social Insurance
Numbers. Talvest has retained original copies of their files on its secure
website.

While Talvest has no evidence to suggest this backup file has been
inappropriately accessed, the manager of Talvest Mutual Funds, CIBC Asset
Management, has taken precautionary measures to protect its clients. These
actions include:

• Notifying all affected clients by letter.
  
• Compensating any affected Talvest clients for monetary loss that
  arises directly from unauthorized access of personal information
  contained on this file.
  
• Providing affected Talvest clients the opportunity to enrol in a
  credit monitoring service at no cost. This service will provide added
  security on client credit files at major Credit Reporting agencies.
  
• Establishing a dedicated call centre and website to deal with any
  affected Talvest client inquiries.
  
• Advising affected Talvest clients to regularly review activity on all
  their financial accounts and report any unauthorized activity
  immediately to their financial institution.
  
• Working with the police to investigate this incident and retrieve
  this backup file.

"We are in the process of contacting affected Talvest clients by letter
to advise them of this issue and to detail the steps we are taking to
safeguard their information," said Steve Geist, President of CIBC Asset
Management. "Although, we have no evidence that the information contained in
the backup file has been accessed in any way, we are acting out of an
abundance of caution and want to assure our clients that we are taking all
steps possible to address this matter. Any issue that causes disruption to our
clients is of great concern to us and we regret the inconvenience this may
cause our Talvest Mutual Fund Clients."

For more information on this matter, Talvest Mutual Fund clients are
advised to visit www.talvest.com.

And with a report from the CBC:

CIBC loses data on 470,000 Talvest fund customers

CIBC Asset Management says a backup computer file containing information on almost half a million of its Talvest Mutual Funds clients has gone missing.

The company says the missing data was in a file that disappeared "while in transit between our offices." The file had personal and financial details on current and former clients of Talvest Mutual Funds, which is a CIBC subsidiary.

The information may have included client names, addresses, signatures, dates of birth, bank account numbers, beneficiary information and/or Social Insurance Numbers.

Talvest says there's no indication that the missing backup file has been "inappropriately accessed," but says CIBC will be taking a number of precautions.

"We are in the process of contacting affected Talvest clients by letter to advise them of this issue and to detail the steps we are taking to safeguard their information," said Steve Geist, president of CIBC Asset Management.

Computer fraud expert Thomas Keenan from the University of Calgary said there's good reason for the company to alert their customers. "Because what's on there [the missing file] is everything you need to know to do identity theft," he told CBC News.

The privacy commissioner of Canada, Jennifer Stoddart, announced that she is launching an investigation.

"Although I appreciate that the bank notified us of this incident and that it is working co-operatively with my office, I am nevertheless deeply troubled, especially given the magnitude of this breach, which puts at risk the personal information of hundreds of thousands of Canadians," Stoddart said in a statement.

Talvest has set up special phone lines for clients who want more information.

The report follows news of a potential corporate privacy breach that could affect as many as two million Visa credit card holders in Canada.

The owner of Winners and HomeSense stores warned Thursday that hackers gained access to its computer system and credit card numbers may have been improperly accessed.

Also, a breach involving TJX, the parent of TJ Maxx, Winners and Homesense, may have exposed the personal information of Canadian customers of that store:

globeandmail.com: Computer breach exposes TJX shoppers to fraud

SECURITY

Parent of Winners, HomeSense targeted

MARINA STRAUSS AND SINCLAIR STEWART

Tens of millions of credit card customers in Canada and the United States may have been exposed to fraud during a computer security breach at discount retailer TJX Cos., the U.S. parent of Winners and HomeSense.

TJX, which also owns T. J. Maxx and Marshalls, said yesterday it discovered the "unauthorized intrusion" in mid-December and has been working with police and security experts on both sides of the border to investigate the incident and tighten security procedures.

The retailer declined to say exactly how many customers are affected. But sources close to Visa said the company notified banks and other issuers last week that approximately 20 million of its cards around the world may have been involved. Some in the financial industry estimate the number in Canada could be as high as two million. It's not clear how many customers of other credit card companies have been left vulnerable.

The problem was tied to the computer systems that process and store information about customer transactions involving credit cards, debit cards, cheques and merchandise returns -- some of them going back to 2003. The Royal Canadian Mounted Police and the U.S. Secret Service have been called in to investigate.

"While TJX has specifically identified some customer information that has been stolen from its systems, the full extent of the theft and affected customers is not yet known," the Framingham, Mass-based retailer said in a statement.

...

"I was stunned," said retail analyst John Chamberlain at Canadian Bond Rating Service. "That's not what you expect from a big retailer. You really expect that they would have stronger systems than that. You get to the point that you trust a retailer to keep that information."

Customers consider the shopping at TJX stores as a "treasure hunt," never quite sure what they'll find, he said. As a result, customers probably use plastic there more often because they don't always know how much they'll spend, he said.

Company officials didn't return calls. Their statement said the retailer kept the matter secret until yesterday at the request of law enforcement. The company said it promptly notified credit card companies and firms that process customer transactions.

An intruder grabbed information dealing with credit and debit cards sales in TJX stores during 2003 and part of 2006, according to the company. However, a source said that the debit transactions were confined to the U.S. market. TJX has been able to identify "a limited number" of credit card and debit card holders whose information was taken.

Canadian banks are scrambling to assess the potential damage. Tania Freedman, a Visa spokeswoman, said the company is forwarding information to banks. "These accounts were potentially exposed, [but] not all accounts that are exposed will experience fraud," she said, adding that customers are protected by the card's zero-liability policy.

...

In Canada, TJX runs 184 Winners and 68 HomeSense stores.

Expect much more info to come.....

Update (20070118): The Privacy Commissioner of Canada has inititated a complaint on her own accord related to the Talvest breach: Privacy Commissioner launches investigation of CIBC breach of Talvest customers' personal information.