Privacy Commissioner: TJX Companies Inc. collected too much personal information, kept it too long and relied on weak encryption technology to protect it. TJX did not comply with the federal private sector privacy law, the Personal Information Protection and Electronic Documents Act PIPEDA. The investigation was launched after TJX disclosed in January that its computer system had been breached. This breach involved more than 45 million credit and debit card numbers, as well as other personal information such as drivers license numbers collected when customers returned merchandise without receipts.”]
Source: https://www.cuinfosecurity.com/tjx-report-wake-up-call-for-all-institutions-a-585