Two separate episodes last week highlighted the increasing vulnerability of consumers to mass exposure of sensitive personal information.

The online auction house eBay was embarrassed when information on 1,200 eBay users, including their credit card numbers, appeared on one of its discussion boards, which was immediately taken offline.

In a series of postings on the auction site's in-house blog [1], an eBay communications team member explained: "While the issue was very unfortunate, it was clearly falsified to cause public concern. Early on eBay's teams verified that the credit card 'data' did not match anything on file for these members on eBay or PayPal.

"After more investigation, including phone conversations with many of the members, it appears that these numbers were not valid at all."

In spite of cover-up allegations from outsiders, eBay said it believed the individuals were victims of account take-overs, most likely through phishing.

However, details of a more significant security breach were published in some detail by the Office of the Privacy Commissioner of Canada (OPC) in a report on the theft of personal information held by TJX, which operates more than 250 fashion stores in the US and Canada.

From July 2005 to January 2007, intruders are reckoned to have gained access to personal information on 45 million payment card holders, the study found.

While couched in legalese derived from its role as the official watchdog of the Canadian personal information protection acts, the 20-page OPC report [2] (PDF) makes for instructive reading on both the physical security aspects of the case, and the principles of personal data protection applied in Canada.

In December 2006, TJX detected suspicious software on its computer network and started an investigation that concluded intruders had gained access to the system via wireless local "retail transaction switches" at two of its stores in Miami. These servers processed and stored customer information related to payment-card transactions and drivers' license and other identity numbers of 330 Canadian residents, who had returned unreceipted goods to TJX stores in the US.

The retailer explained to OPC's investigators that it needed this information to deter fraud, but the regulator's report concluded that the TJX case "illustrates how maintaining custody of large amounts of sensitive information can be a liability, particularly if the information does not meet any legitimate purpose or if the retention period is longer than necessary".

Collecting and retaining excessive personal information creates an unnecessary security burden, the report argued. "Organisations should collect only the minimum amount of information necessary for the stated purposes and retain it only for as long as necessary, while keeping it secure."

In its final conclusion, the report stated: "TJX did not have reasonable security arrangements in place at the time of the breach. Too much sensitive information was retained, and safeguards in place had inherent weaknesses. Robust security safeguards include a variety of elements, such as asset management, network segregation and active monitoring. We believe that TJX did not have as robust a system in place at the time as it could have had."

Although the retailer contested the findings, it has upgraded its security systems, introduced a "hashed ID" numbering system so that it does not need to hold drivers' licence numbers and submitted a number of follow-up reports to the OPC.

Geoff Sweeney, chief technology officer of London-based security consultancy Tier-3 noted that TJX included a $107 million reserve to cover the costs in its half-year financial report and estimated that future costs arising from the breach and subsequent lawsuits would run to another 21 million.

"Even though TJX got off relatively lightly so far, the fact that the legal settlement is already into nine figures should serve as a clear warning to other companies," said Sweeney. "Protect your customer database and other private information, or face the consequences."