...Overview This case analysis report is about the IT security problems that Owen Richel, the Chief Security Officer of TJX should consider to improve by analyzing some security issues that TJX had faced during the 2005-2007 database intrusion. As technology advances, companies are facing some challenges regarding information privacy. “Information privacy concerns the legal right or general expectation of individuals, groups, or institutions to determine for themselves when, and to what extent, information about them is communicated to others.” (Lecture notes) One of the privacy problems includes unauthorized access, which violates the laws and company’s policies, can limit a person to access to his/her personal information, and threaten the company’s legitimacy in its interactions with its stakeholders. In this case, TJX experienced an information security breach, caused over 94 million of payment cards at risk, and paid $158 million for damages and losses. This serious problem was recognized by Owen and thus case discussion is carried out as follows. Stakeholders & Preferences Some of the important stakeholders are customers, financial institutions, vendors and distributors, shareholders, and the management and employees. The most important stakeholder is the customers that TJX has been long serving with because they are the very first group of people who were affected by the intrusion. It was the customers’ debit and credit cards information that were stolen which...
Words: 1948 - Pages: 8
...Check point TJX Company IT/205 MAY 24, 2012 Check point TJX Company Information security means protecting information systems from unauthorized access. To my understanding TJX failed to properly encrypt data on many of the employee computers that were using the wireless network, and did not have an effective firewall installed. In the reading it indicated that TJX was still using the old Wired Equivalent Privacy (WEP) encryption system, which is relatively easy for hackers to crack. The Wi-Fi equivalent privacy (WEP) was considered old, weak and ineffective, therefore I could say the security breach that TJX had experience was a resulted by using a cheap and inexpensive wireless Wi-Fi network like the Wired Equivalent Privacy (WEP) encryption system, which make it easy for hackers to navigate. This is why it is important that TJX should have invested in using the wireless Wi-Fi Protective access 2 (WPA2) The Wi-Fi Protected Access 2 (WPA2) standard in conjunction with a sophisticated encryption system could have been used to replace the WEP. In that situation an effective firewall would have prevent unauthorized users from accessing private networks, meaning firewall acts like a gatekeeper who examines each user’s credentials before access is granted to a network. An effective Firewall could have reduced the ability for hackers to gain access to sensitive information. A data security breach could result a variety of issues some of them could be loosing of confidence...
Words: 436 - Pages: 2
...January of 2007 the parent company of TJMaxx and Marshalls known as TJX reported an IT security breach. The intrusion involved the portion of its network that handles credit card, debit card, check, and merchandise return functions. Facts slowly began to emerge that roughly 94 million customers’ credit card numbers were stolen from TJMaxx and Marshalls throughout 2006. It was believed that hackers sat in the parking lots and infiltrated TJX using their wireless network. Most retailers use wireless networks to transmit data throughout the stores main computers and for credit card approval. The wireless data is in the air and leaks out beyond the store’s walls. TJX used an encryption code that was developed just as retailers began going wireless. Wired Equivalent Privacy or WEP is a wireless encryption code developed in 1999 that retailers began to implement. Within a couple of years hackers broke the encryption code and rendered WEP obsolete. Many retailers In January of 2007 the parent company of TJMaxx and Marshalls known as TJX reported an IT security breach. The intrusion involved the portion of its network that handles credit card, debit card, check, and merchandise return functions. Facts slowly began to emerge that roughly 94 million customers’ credit card numbers were stolen from TJMaxx and Marshalls throughout 2006. It was believed that hackers sat in the parking lots and infiltrated TJX using their wireless network. Most retailers use wireless networks...
Words: 314 - Pages: 2
...Tonisha Miller IT/205 Jennifer Gilmore CheckPoint: TJX Companies The old Wired Equivalent Privacy (WEP) encryption system was the security controls in place. A Wired Equivalent Privacy (WEP) is not very effective. WEP is built into all standard 802.11 products, but its use is optional. Many users neglect to use WEP security features, leaving them unprotected. The basic WEP specification calls for an access point and all of its users to share the same 40-bit encrypted password, which can be easily decrypted by hackers from a small amount of traffic. Stronger encryption and authentication systems are now available, but users must be willing to install them. TJX had also neglected to install firewalls and data encryption on many of the computers using the wireless network, and didn’t properly install another layer of security software it had purchased. TJX acknowledged in a Securities and Exchange Commission filing that it transmitted credit card data to banks without encryption, violating credit card company guidelines. TJX also retained cardholder data in its systems much longer than stipulated by industry rules for storing such data. The tools and technologies that could have been used to fix the weaknesses are some of the following: General controls govern the design, security, and use of computer programs and the security of data files in general throughout the organization’s information technology infrastructure. On the whole, general controls apply to all computerized...
Words: 753 - Pages: 4
...Executive Summary The TJX Corporation is a large retailor with stores throughout the United States,, Puerto Rico and United Kingdom. In 2005, a security breach of credit card information occurred through a seventeen-month period. The intrusion of customer personal information has grossed the concern of the security among their IT infrastructure. The following criteria based upon their security concerns and customer relationships recovery. Their growth as a discount retailer is dependent on the course of action they must take. They will adhere to a secure network, protect their stored data, prevent future intrusion of their system, restrict access to unauthorized users and frequently test for the implementation of their security measures. TJX will focus on establishing IT governance, mitigate risk, and develop a management strategy through the following alternatives. They will focus on hardware and software upgrades to prevent future attacks of their communication lines and their network through enhanced software and data encryptions. A Payment Card industry Data Security standard has been established and must be maintained by TJX, an implementation from the IT security team will be completed on a regular basis ensuring that all files and file transfers are appropriately encrypted. Internal and external security and network audits will need to be performed on a regular basis to comply with the PCIDSS. This will allow for testing of their system access and identify concerns within...
Words: 3688 - Pages: 15
...How was TJX vulnerable to breaches? How did the situation escalated into a full scale breach. TJX was vulnerable to the breach because of failed attempts to update security which could have prevented the breach. TJX performed an audit and it found that it was non-compliant with 9 of the 12 requirements for a secure payment transaction. Gonzalez used a simple packet sniffer to hack into the system. The packet sniffer Gonzalez used went undetected for several months. TJX failed to notice any data being transferred from their own server which allowed them to lose 80 GB of data. Gonzalez had blind servers in Latvia and Ukraine that were used to breach the system (NT2580: Week 1). Gonzalez performed reconnaissance on their retail stores. Then Gonzalez determined a weakness in the payment systems and utilized malware to intercept credit card information. Gonzalez committed this crime between 2006 through 2008 before being caught. Gonzalez was an informant for the Secret Service which Gonzalez took part in an undercover operation related to a card theft case (Sileo, Operation Get Rich or Die Tryin' Still Lives). Gonzalez was sentenced for the largest computer crime case that has been documented. The only motive Gonzalez has was technical curiosity and obsession with conquering computer networks. Gonzalez’s attorney argued that some of the loses were the result of TJX’s own negligence. If security upgrades were done then it may have prevented the breach (Zetter,TJX Hacker Gets...
Words: 407 - Pages: 2
...Checkpoint - TJX Companies IT/205 March 1, 2013 Checkpoint - TJX Companies This week’s checkpoint deals with the credit card data theft at TJX companies which occurred in July of 2005. According to the book Essentials of MIS, the thieves used a vulnerable wireless network from one of the department stores on the TJX network to gain access. (Laudon & Laudon, 2011, p. 243) After the thieves had access to the network the installed a sniffer program on one of the main computers of the network. They then were able to download any information that they needed to. The TJX Company was still using outdated weak wireless security encryption called WEP, (Wired Equivalent Privacy), instead of upgrading to a more secure version of wireless security, WPA, (Wi-Fi Protected Access). They also did not have any firewalls or data encryption in place. (Laudon & Laudon, 2011, p. 243). The tools that was needed to be in place to help stop this from happening was, the stronger wireless security of Wi-Fi Protected Access (WPA) standard with more complex encryption, they also needed to install strong firewalls, data encryption on computers, and to transmit credit card data to banks with encryption. This breach had some lasting effects on the TJX Company. One of the first effects was that the company had to strengthen the company’s information system security. They also had to agree to have a third-party auditor review their security measures every two years for the next twenty years...
Words: 388 - Pages: 2
...The IT security breach, caused by one Albert Gonzalez and his accomplices, is one of the most expensive lessons in corporate data security policies. For TJX this is more so as it is not only just that, it’s a black spot on the companies security record and has earned quite the problem as people no longer trust the company due to just how many security issues came to light with Albert’s breach. The TJX stores were foolishly using the relatively weak Wired Equivalent Privacy (WEP) protocol instead of updating to the stronger Wi-Fi Protected Access (WAP) protocol, making it much easier for the breaches to occur. However, the real damage came from the fact that the intruders were able to access the TJX internal systems, being able to move around freely for almost two years. The breaches occurred from the middle of the year 2005 and ran through December 2006, while an estimated 47.5 million records were stolen during that time period. TJX’s other security problem was because they allowed the hackers free roam for pretty much 18 months, showing the company didn’t keep proper traffic logs for their system, the company being unable to find them due to the need to look through all of their systems to try and determine just who it was that took what data, from where, where it was sent, and so on. Because of this, the investigation into the matter took them months and months, giving their opposition all that time to continue messing around their database. It’s also expected that TJX might...
Words: 625 - Pages: 3
...an acceptable cost and reinforce the security policy of the organization. They must include controls that contribute to individual accountability, auditability, and separation of duties. Administrative controls define the human factors of security and involve all levels of personnel within an organization. They determine which users have access to what organizational resources and data. Administrative controls can be broken down into two categories: preventive administrative controls and detective administrative controls. Preventive administrative controls are techniques designed to control personnel’s behavior to assure the confidentiality, integrity, and availability of organizational information. Some examples of preventive administrative controls are: security awareness and technical training, separation of duties, disaster preparedness and recovery plans, terminating and recruiting procedures, and user registration for computer access. 2. How does the absence of Administrative Controls impact corporate liability? The absence of administrative controls will have a negative impact on corporate liability. The main reason is that the organization has not put in place controls that meet a standard considered reasonable by most organizations that share similar backgrounds or work environments to protect data and resources. By not having these administrative controls in place, an organization can be held liable should a breach of security occur. An excellent example of a corporation...
Words: 902 - Pages: 4
...Findings……………………………………………………………………..4 3.1 Issues of Online Identity Theft …………………………………………...4 3.2 Trends of Online Identity Theft……………………………………………5 4. Case Study………………………………………………………………………..7 4.1 Background…………………………………………………………………..8 4.2 Analysis……………………………………………………………………….8 5. Recommendations and Conclusions……………………………………..…9 Executive Summary Identity theft make a lot of customers and organisations suffer serious loss both financially and emotionally. It is necessary to build acknowledge of identity theft to protect the interest of customers and organisations. This report finds the different methods and trends of identity theft and gives some advices for protection. A case study of TJX breach case shows the harm of identity theft in an organisation. 1. Introduction The internet technology has greatly changed the world in which human live since 1990s. Nowadays, internet has gone deep into people’s daily life and its high productivity, efficiency and convince make people deeply rely on it. Online business and social network have become the most important contributions of internet. As the growth of e-commerce and number of users of social networking websites, the target of identity theft has broadened. In e-commerce, identity theft threats not only the customers’ information and property safety but also the interest of corporate. On the social networking websites such as Facebook, users usually use their real e-mail address...
Words: 2731 - Pages: 11
...STUDENT LEARNING OBJECTIVES After completing this chapter, you will be able to answer the following questions: 1. Why are information systems vulnerable to destruction, error, and abuse? What is the business value of security and control? What are the components of an organizational framework for security and control? What are the most important tools and technologies for safeguarding information resources? 2. 3. 4. ISBN 1-256-42913-9 232 Essentials of MIS, Ninth Edition, by Kenneth C. Laudon and Jane P. Laudon. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc. C HAPTER O UTLINE Chapter-Opening Case: Boston Celtics Score Big Points Against Spyware 7.1 System Vulnerability and Abuse 7.2 Business Value of Security and Control 7.3 Establishing a Framework for Security and Control 7.4 Technologies and Tools for Protecting Information Resources 7.5 Hands-on MIS Projects Business Problem-Solving Case: Are We Ready for Cyberwarfare? BOSTON CELTICS SCORE BIG POINTS AGAINST SPYWARE While the Boston Celtics were fighting for a spot in the playoffs several years ago, another fierce battle was being waged by its information systems. Jay Wessel, the team’s vice president of technology, was trying to score points against computer spyware. Wessel and his IT staff manage about 100 laptops issued to coaches and scouts, and sales, marketing, and finance employees, and these machines were being overwhelmed by malware (malicious software). Like any sports...
Words: 21009 - Pages: 85
...Wireless Security Technical Point-of-View Wireless Security Technical Point-of-View W ireless network (Wi-Fi) is now widely established and utilized at home, offices and everywhere in public areas such as rail stations, streets, and etc. This newsletter provides the technical knowledge of Wi-Fi technologies, relevant threats and countermeasures for building a secure internal Wi-Fi network. For the end user best practices of using Wi-Fi, please refer to another newsletter entitled “Wireless Network, Best Practices for General User”. Wireless Technologies | Classification of Networks Technological advancement in wireless communications has led to the worldwide proliferation of networks. The various kinds of network technologies developed can be classified into the following categories according to their range of coverage: Wireless Wide Area Network (WWAN) WWAN offers the largest coverage. Voice and data can be transferred between mobile phones via messaging apps, web pages and video conferencing. In order to secure the transfer, encryption and authentication methods are adopted. Examples of WWAN are 4G, 3G and 2G networks. Wireless Metropolitan Area Network (WMAN) MAN (Metropolitan Area Network) covers across the entire city and WMAN provides the Wi-Fi network similar to MAN. WiMAX and Wireless MAN are both examples of this kind. Wireless Local Area Network (WLAN) WLAN is an 802.11i wireless network that facilitates the access of corporate environment...
Words: 4503 - Pages: 19
...Networks, Telecommunications, and Wireless Computing | | | Telecommunication systems enable the transmission of data over public or private networks. A network is a communications, data exchange, and resource-sharing system created by linking two or more computers and establishing standards, or protocols, so that they can work together. Telecommunication systems and networks are traditionally complicated and historically ineffi cient. However, businesses can benefi t from today’s modern network infrastructures that provide reliable global reach to employees and customers. Businesses around the world are moving to network infrastructure solutions that allow greater choice in how they go to market—solutions with global reach. These alternatives include wireless, voice-over internet protocol (VoIP), and radio-frequency identification (RFID). | | | | | Knowledge Areas | Business Dilemma | | | Business Dilemma Personal sensing devices are becoming more commonplace in everyday life. Unfortunately, radio transmissions from these devices can create unexpected privacy concerns if not carefully designed. We demonstrate these issues with a widely-available commercial product, the Nike+iPod Sport Kit, which contains a sensor that users put in one of their shoes and a receiver that users attach to their iPod Nanos. Students and researchers from the University of Washington found out that the transmitter in a sneaker can be read up to 60 feet away. Through the use of a prototype...
Words: 2881 - Pages: 12
...marking, select your Assignment Submission area. For help, refer to the quick tutorial, “Submit your assignment.” Follow these steps to ensure that your assignment was received by your marker: Select the Grade Centre link. Select the exclamation mark (!). In the section “Your work,” select the file. If you can view the unmarked assignment, it is okay. If you are unable to view the assignment, contact your CGA affiliate office for help. Question 1 (20 marks) Note: For multiple-choice questions, select the best answer. Incorrect answers will be marked as zero. No marks will be awarded for any explanations you may offer. Multiple choice (2 marks each) Computer systems are prone to failure for many reasons. Which of the following is the most common reason for systems security vulnerability? Human...
Words: 1541 - Pages: 7
... The direct failure involved an inadequate background check which provided hackers with customer accounts. The hacker’s then utilized the accounts to illegally access databases and steal confidential data. There is a personal-data-loss database that contains data on regarding more than 900 breaches in the U.S. which is made up of more than 300 million personal records. Analysis of this database illustrated that 81% of the breaches were committed by malicious outsiders. This value relates specifically to records that were vulnerable to being stolen by identity thieves. Further this value illustrates that four out of five cases were potentially preventable (Phua, 2009). This data breach could have been prevented through a host of security measures. Primarily enforcement of the company’s existing policy to perform a thorough background check of customers seeking sensitive information. However, it also appears the organization may have failed to establish or employ extensive data...
Words: 1067 - Pages: 5
