Discount retailer TJX and data brokers Reed Elsevier and Seisint ...

third-party security professionals every other year for 20 years. The commission said that TJX, with more than 2,500 stores worldwide, didn’t use “reasonable and appropriate” security measures to prevent unauthorized access to personal information on its computer networks. A cyberattacker exploited the failures, obtaining tens of millions of credit and debit payment card numbers that consumers used at TJX stores, along with personal information of approximately 455,000 consumers who returned merchandise to the stores (WID Jan 19 p3), the agency said. Reed Elsevier (REI), via its LexisNexis data broker business, and Seisint, acquired by LexisNexis in 2004, collect and store data on millions of consumers, including names, current and prior addresses, dates of birth, drivers license numbers and Social Security numbers. The companies relied on user IDs and passwords (or “user credentials") to control customer access to material in their databases. The FTC alleged that, among other failures, the companies let customers use “easy-to-guess passwords” to access Seisint “Accurint” databases holding sensitive consumer data. Identity thieves exploited these lapses, obtaining in multiple breaches access to sensitive data on at least 316,000 consumers, the FTC said. Thieves used the data to activate credit cards and open accounts, making fraudulent purchases. The breaches went on for at least nine months after REI acquired Seisint in late 2004, the commission said.