Free Essay

Security Breach at Tjx

In: Computers and Technology

Submitted By dwayneok18
Words 2721
Pages 11
Question 1

TJX is the parent company of popular off-price retailers like TJ Maxx and Marshalls. Based in Framingham, Massachusetts, TJX has over 2,400 stores worldwide and earned US$17.4 billion in sales during the 2007 fiscal period. On December 18th, 2007, TJX discovered that it fell victim to one of the largest data theft cases in American history. Approximately 94 million credit and debit cardholders were affected by the attack. The American Secret Service and FBI had to investigate the breach and TJX lost millions of dollars in the following years due to class-action lawsuits and investigation costs. This report will analyze the causes of TJX’s IT security weaknesses and provide recommendations on what the company should do in the short-term and long-term to ensure something like this never happens again.

Question 2

Management – TJX’s management needs to move fast and implement better IT security measures to prevent an attack like this from ever happening again. They must accomplish this while balancing lawsuits from credit card companies & customers and ongoing federal investigations while still managing day-to-day operations. TJX has already booked a provision of $168 million related to the attack and does not want to suffer any more financial loss. It also needs to regain customer confidence, which is crucial to maintaining its market leadership and sales.

Customers – TJX’s customers have lost confidence in the company’s ability to store its sensitive data. Customers are very dissatisfied with the situation and many are planning to take legal action against TJX. Customers needs TJX to reassure them that it has the ability and resources to protect their data

Federal Government – They need to track down the people responsible for this intrusion but they also need to investigate why TJX’s systems were so vulnerable. If the government concludes that TJX was negligent in their IT security measures, the government may be forced to shut down TJX until it can re-establish its IT security practices.

Payment Card Industry (PCI) Auditors – These auditors were responsible for ensuring TJX was compliant to the Data Security Standards outlined by the PCI but according to court documents, TJX did not meet 9 of the 12 requirements. Therefore the professional conduct of these auditors will be questioned subsequent to an investigation because they signed off on TJX’s systems as having no issues

Question 3

IT plays a major role in TJX and the retail industry. IT provides TJX the ability to manage up-to-date information about its inventory and its customer’s purchasing behaviour. This information is essential in creating and maintaining strong Supply Chain Management and Customer Relationship Management practices. TJX also earns billions of dollars in income through millions of transactions each year and thus, TJX needs reliable IT infrastructure and security to manage all of this traffic in a safe, private and confidential way. Finally, E-Commerce plays a huge role in today’s economy. Without dynamic IT services, companies will not be able to capitalize on the opportunities that E-Commerce present. Therefore, in order to expand its revenue streams and increase its profit margins, TJX needs to implement IT strategies that effectively support its E-Commerce endeavours.

Question 4

1. Operational Efficiency – TJX’s profit margins are very low, therefore it needs to ensure it is minimizing its operation costs as much as it can. Doing this will boost company performance. 2. Supplier Relationships – TJX depends on manufacturers and department stores to provide it with excess and off-season inventory, which it can then sell to its customers. Without strong supplier relationships, TJX risks having to operate with a lack of inventory on the sales floor, which is highly inefficient. 3. Customer Relationships – TJX’s profit margins are very low on its transactions. However, the company can combat this by strengthening its customer relationships using CRM methods.

Question 5 - People Failure Points

Lack of User Account Management: TJX’s people did not have any user account internal controls in place. If they did, the intruders would not have been able to create user accounts on the central network without being detected. Someone in TJX’s Human Resources and IT departments should have realized an excess amount of network user accounts that did not correlate to the number of TJX’s staff. However, this was not caught internally. It was also not caught externally by TJX’s financial statement auditors or the auditors responsible for ensuring TJX’s complied with PCS DSS standards. External auditors are responsible for reviewing their clients’ internal controls to make sure they are working effectively. Not only did TJX’s internal staff fail the company with respect to user account management, the external financial auditors and PCI DSS auditors did too.

Unacceptable Network Monitoring: TJX’s people failed to monitor the company’s central networks properly because intruders gained access to it for several months without being detected. This is a clear indication that TJX’s intrusion detection/prevention program was not working and the people responsible for designing this program failed the company. What is unclear is whether this was due to a lack of resources or incompetence.

Failure to Comply with Payment Card Industry Data Security Standards: According to case documents, TJX did not meet 9 of the 12 PCI DSS requirements covering encryption, access controls and firewalls. If these security features are not implemented correctly, networks will have loopholes and vulnerabilities which hackers can take advantage of. This is why the PCI DSS standards exist, to ensure companies are up-to-date with the risks facing network security. The people responsible for TJX’s failure to comply and the auditors who signed off on TJX’s practices need to be reprimanded immediately, as their actions collectively cost the company millions of dollars.

Work Process Failures

Encryption Process Failures: A major failure in TJX’s encryption process was its use of the wireless equivalency privacy (WEP) software for its encryption algorithm. This WEP encryption algorithm was TJX’s main line of defense for its wireless networks. However, according to the case, information on how to crack WEP is widely available online via simple Google searches. To make matters worse, the intruders had the actual decryption key for the WEP software in use at TJX. WEP software does not provide acceptable defence for TJX. WEP is more applicable for household use. For example, most people who have Wi-Fi at home protect it with a WEP key. It is totally unacceptable for a company like TJX, which stores millions of customers’ private information to be using WEP software to protect its wireless networks. Also, TJX did not start encrypting customer data until after April 7, 2004. However, because TJX was not purging its customer data regularly as required by PCI DSS, the intruders had access to customer data that was acquired by TJX as far back as 2002. This data that was received since 2002 was not encrypted because encryption was only implemented by TJX in 2004, therefore the intruders had easy access to it.

Processing Logs Process Failures: TJX did not keep logs that provided key information about files on its central system. Information kept in logs includes: when files were created, deleted, moved and accessed. Logs also provide network administrators with user information that describes which employee deleted/created/accessed certain files. If TJX maintained a processing log, it not only would have detected the intruders’ suspicious files earlier, it also would have been able to gain a better understanding of the scale of the intrusion.

In-Store Kiosk Process Failures: The internal processes regarding the in-store kiosks were not effective. Why weren’t the in-store kiosks locked? Why weren’t USB driver hardware covered so that the intruders could not stick their flash drives into the machine? TJX could have installed an alarm lock, so that if the kiosks were broken into, a sound would go off to alert store employees.

Firewall Processes: TJX’s firewalls were not set-up to defend against traffic coming from in-store kiosks. This process deficiency left TJX’s central networks very vulnerable. Every device that offers a point of access to TJX’s networks needs to have a firewall defending it. Further questions can be asked about why in-store kiosks were given direct access to the Framingham network in the first place. Such small, high-risk devices should not have direct access to TJX’s central networks.

No Business Continuity Plan or Disaster Recovery Plan: Both of these plans are necessary emergency responses that need to be designed and implemented by companies that store sensitive information. However, both did not seem to be in effect at TJX since upon discovery of the intrusion, TJX had to call in external companies to determine what was going on. TJX’s internal processes were not even able to confirm whether or not an actual intrusion had taken place.

Specific Technology Failure Points

Firewalls: Because there was no firewall technology implemented to analyze the information being transmitted from in-store kiosks, the intruders were able to gain access into the central networks housed in Framingham undetected. This could have been avoided if a firewall was installed.

Encryption: TJX’s use of WEP encryption software instead of Wireless Application Protocol (WPA-2) software was another technology failure. WEP encryption software is not safe enough to be used to guard TJX’s wireless network because hackers can find ways to gain access to the decryption keys. On the other hand, WPA software standardizes the way that wireless devices can be used. Therefore, even if a hacker was able to gain control of a device encrypted with WPA-2, it would not be able to access TJX’s central networks because the device would not have been granted access to do so by network administrators.

Question 6 - Short Term Priorities

Regain Compliance with PCI DSS Immediately: TJX needs to make the necessary adjustments to its network systems to ensure compliance with the PCI standards. The fact that TJX is a level 1 PCI company, yet it failed to comply with the data security standards is totally unacceptable.

User Access/Account Controls: TJX did not have any effective data encryption on its networks. There were also no signs of user account internal controls in place. I recommend TJX implement an Advanced Data Encryption Standard, a user access auditing system and a single sign on solution. By implementing a single sign on solution, network administrators can be more accountable over who is actually singing onto the central networks. They do not have to sift through the multiple access points that were previously available in TJX’s legacy systems. Now with a single sign on solution, if an intrusion is detected, TJX’s IT Security team can quickly pinpoint which user is abusing the system.

Firewalls and Encryption Technology: TJX needs to plug loopholes regarding its firewall and encryption software. TJX needs to develop firewalls that monitor information received from any device that has access to the central network. This includes developing firewalls to guard against data being received from in-store kiosks. With regards to encryption, TJX needs to update its wireless network encryption software from WEP to WPA-2 immediately because the intruders have the decryption key for the WEP software currently being used by TJX.

Create a Disaster Recovery Plan and Use Tiger Teams to Test Vulnerabilities: TJX needs to have a disaster recovery plan in place. Without one, it leaves itself open to numerous risks subsequent to the discovery of an IT system issues. These risks can be avoided if a thorough disaster plan is in place. Furthermore, TJX should employ Tiger Teams to come in periodically to test for loopholes and vulnerabilities in its IT networks. A Tiger Team is a team of expert hackers who try to hack into a company’s networks in order to identify any potential threats or points of failures in an IT environment. By implementing Tiger Teams, TJX can always be on guard for new threats to its system and make the necessary adjustments and adaptations to remain safe. Outsource IT Security to Trusted Outside Vendors: Storing data is not one of TJX’s core competencies. The company is a trusted off-price retailer. Therefore, TJX should consider outsourcing its IT Security Processes to trusted vendors instead of internalizing it. The following process can be easily outsourced at a fairly low cost:

Transactional Data and Point of Sale Process (POS): TJX’s customers have lost confidence in the company’s ability to store their transactional data. TJX handles millions of transactions every year and many of them involve credit cards, debit cards and cheques. Because TJX has proven it does not currently have the ability to keep this data safe in its networks, it would be best for TJX to outsource this process in order to regain customer confidence. There are many firms that offer merchant services for an affordable price. These companies will store the customer data on behalf of TJX for a small fee per transaction. TJX should look into companies like Merchant Warehouse and TransFast, who charges 19 cents per transaction. TJX should consider outsourcing its data warehousing within the next 6 months. Doing this would shift accountability of customer data away from TJX and will help re-establish assurance for customers because their information is kept with a trusted business that specializes in data warehousing.

High Level Long-Term Recommendations

1. Expand IT Security and Compliance Staff to maintain the progress made once short-term recommendations are implemented. This team of staff needs to be highly qualified and must be given the adequate financial and technical resources needed to ensure TJX’s networks are protected and the company is compliant with PCI DSS 2. Create a new committee on the board of directors that monitors the company’s IT security processes. This committee will ensure the company is making a commitment to being up-to-date with current IT technologies. Therefore, when something changes in the marketplace, TJX will be proactive and make the necessary adjustments to its networks to plug all loopholes. With this committee, TJX will ensure it is progressive in its IT policies and implementation. 3. Create lasting partnership with outside IT vendors that specialist in data security and processing. Similar to TJX’s strategic partnerships with clothes manufactures and department stores, if TJX can negotiate effectively with IT vendors, it can develop a strategy to outsource its IT needs at a price that is cost effective. Doing this will free up human capital and will allow TJX to focus on its core competencies.

Question 7
TJX cut corners, which created risks. TJX cut corners by keeping WEP as its encryption software instead of updating to WPA-2. It also cut corners by not updating its firewalls to ensure kiosk data was being analyzed. At the minimum, the company should have ensured it was compliant with PCI DSS standards, which it was not. The retail environment is very competitive. In order to sustain success, companies must find ways to create operational efficiencies. However, IT infrastructure and security is not an area that should be lacking resources. Companies need to understand that IT is not just an isolated department. It is a business issue that affects the entire firm. TJX was definitely not a victim in this situation. The intruders’ ease of access into TJX’s central system and the time spent without being detected prove TJX did not have sufficient resources and infrastructure dedicated to its IT department.

Smart, profitable retail organizations get into these types of situations because data warehousing and IT security is not one of their core competencies and thus they fail to provide it with the necessary resources to ensure hackers do not compromise the systems. It boils down to placing a value on customer confidence. TJX kept trying to cut corners by not updating its technologies (e.g. Continued using WEP key, lack of firewalls, etc.) but failed to understand that if things went wrong, which they did, customer confidence would plummet. Now, it may be difficult to put a price on customer confidence but it is a form of goodwill that takes years to build up and just days to lose. TJX had to incur costs of $168 million directly related to the attack. It is uncertain just how much the company stands to lose from former customers who do not trust TJX with its information anymore.

Similar Documents

Premium Essay

Security Breach at Tjx

...Questions for Security Breach at TJX 1. What are the (a) people, (b) work process and (c) technology failure points that require attention? Discuss each of the three issues in detail. 2. Provide a set of recommendations that can be used to improve and strengthen TJX’s IT security. What should be the short term priorities and long term plans for TJX in handling IT security? 3. Was TJX a victim of ingenious cyber crooks or did it create risk by cutting corners? How did a smart and profitable retail organization get into this kind of situation? Case Analysis Questions for Security Breach at TJX 1. What are the (a) people, (b) work process and (c) technology failure points that require attention? Discuss each of the three issues in detail. 2. Provide a set of recommendations that can be used to improve and strengthen TJX’s IT security. What should be the short term priorities and long term plans for TJX in handling IT security? 3. Was TJX a victim of ingenious cyber crooks or did it create risk by cutting corners? How did a smart and profitable retail organization get into this kind of situation? Case Analysis Questions for Security Breach at TJX 1. What are the (a) people, (b) work process and (c) technology failure points that require attention? Discuss each of the three issues in detail. 2. Provide a set of recommendations that can be used to improve and strengthen TJX’s IT security. What should be the short term priorities and long term plans for TJX in handling...

Words: 785 - Pages: 4

Premium Essay

Security Breach at Tjx

...Overview This case analysis report is about the IT security problems that Owen Richel, the Chief Security Officer of TJX should consider to improve by analyzing some security issues that TJX had faced during the 2005-2007 database intrusion. As technology advances, companies are facing some challenges regarding information privacy. “Information privacy concerns the legal right or general expectation of individuals, groups, or institutions to determine for themselves when, and to what extent, information about them is communicated to others.” (Lecture notes) One of the privacy problems includes unauthorized access, which violates the laws and company’s policies, can limit a person to access to his/her personal information, and threaten the company’s legitimacy in its interactions with its stakeholders. In this case, TJX experienced an information security breach, caused over 94 million of payment cards at risk, and paid $158 million for damages and losses. This serious problem was recognized by Owen and thus case discussion is carried out as follows. Stakeholders & Preferences Some of the important stakeholders are customers, financial institutions, vendors and distributors, shareholders, and the management and employees. The most important stakeholder is the customers that TJX has been long serving with because they are the very first group of people who were affected by the intrusion. It was the customers’ debit and credit cards information that were stolen which...

Words: 1948 - Pages: 8

Premium Essay

Security Breach at Tjx

...Security Breach at TJX 1. Identify & describe the failure points in TJX's security that requires attention (including, but not limited to: People, Work Process, and Technology)? After analyzing the Ivey case on TJX data fiasco, I would say there were three major failure points that caused this $168MM financial hit to the corporation. * Technology: it is obvious that TJX had several technology deficiencies mainly driven by systems limitations and vulnerability. For example, inadequate wireless network security allowed the hackers to attack specific stores just by using a laptop and an antenna which permitted the thieves access to the central database. As it was mentioned in the business case, TJX was using (WEP) as the security protocol and it is well-known in the e-commerce arena that WEP encryption can be deciphered in less than one minute which makes it very unreliable and risky for business transactions. Last but not least, TJX failed to encrypt customer data. * Auditors: it is concerning that TJX passed a PCI DSS check up and that non auditor noticed the technology issues TJX was facing. * Executives at TJX: It is evident that the company wasn’t in compliance with the Payment Card Industry (PCI) standards. Primarily, the person in charge of the IT department should have been on top of ensuring TJX to be in compliance, by setting expectations and objectives pertained to security within its organization. In addition to the head of IT, I...

Words: 826 - Pages: 4

Premium Essay

Tjx- Hacker Research

...How was TJX vulnerable to breaches? How did the situation escalated into a full scale breach. TJX was vulnerable to the breach because of failed attempts to update security which could have prevented the breach. TJX performed an audit and it found that it was non-compliant with 9 of the 12 requirements for a secure payment transaction. Gonzalez used a simple packet sniffer to hack into the system. The packet sniffer Gonzalez used went undetected for several months. TJX failed to notice any data being transferred from their own server which allowed them to lose 80 GB of data. Gonzalez had blind servers in Latvia and Ukraine that were used to breach the system (NT2580: Week 1). Gonzalez performed reconnaissance on their retail stores. Then Gonzalez determined a weakness in the payment systems and utilized malware to intercept credit card information. Gonzalez committed this crime between 2006 through 2008 before being caught. Gonzalez was an informant for the Secret Service which Gonzalez took part in an undercover operation related to a card theft case (Sileo, Operation Get Rich or Die Tryin' Still Lives). Gonzalez was sentenced for the largest computer crime case that has been documented. The only motive Gonzalez has was technical curiosity and obsession with conquering computer networks. Gonzalez’s attorney argued that some of the loses were the result of TJX’s own negligence. If security upgrades were done then it may have prevented the breach (Zetter,TJX Hacker Gets...

Words: 407 - Pages: 2

Premium Essay

Check Point at Tjx Company

...Check point TJX Company IT/205 MAY 24, 2012 Check point TJX Company Information security means protecting information systems from unauthorized access. To my understanding TJX failed to properly encrypt data on many of the employee computers that were using the wireless network, and did not have an effective firewall installed. In the reading it indicated that TJX was still using the old Wired Equivalent Privacy (WEP) encryption system, which is relatively easy for hackers to crack. The Wi-Fi equivalent privacy (WEP) was considered old, weak and ineffective, therefore I could say the security breach that TJX had experience was a resulted by using a cheap and inexpensive wireless Wi-Fi network like the Wired Equivalent Privacy (WEP) encryption system, which make it easy for hackers to navigate. This is why it is important that TJX should have invested in using the wireless Wi-Fi Protective access 2 (WPA2) The Wi-Fi Protected Access 2 (WPA2) standard in conjunction with a sophisticated encryption system could have been used to replace the WEP. In that situation an effective firewall would have prevent unauthorized users from accessing private networks, meaning firewall acts like a gatekeeper who examines each user’s credentials before access is granted to a network. An effective Firewall could have reduced the ability for hackers to gain access to sensitive information. A data security breach could result a variety of issues some of them could be loosing of confidence...

Words: 436 - Pages: 2

Premium Essay

Tjx Corporation

...Executive Summary The TJX Corporation is a large retailor with stores throughout the United States,, Puerto Rico and United Kingdom. In 2005, a security breach of credit card information occurred through a seventeen-month period. The intrusion of customer personal information has grossed the concern of the security among their IT infrastructure. The following criteria based upon their security concerns and customer relationships recovery. Their growth as a discount retailer is dependent on the course of action they must take. They will adhere to a secure network, protect their stored data, prevent future intrusion of their system, restrict access to unauthorized users and frequently test for the implementation of their security measures. TJX will focus on establishing IT governance, mitigate risk, and develop a management strategy through the following alternatives. They will focus on hardware and software upgrades to prevent future attacks of their communication lines and their network through enhanced software and data encryptions. A Payment Card industry Data Security standard has been established and must be maintained by TJX, an implementation from the IT security team will be completed on a regular basis ensuring that all files and file transfers are appropriately encrypted. Internal and external security and network audits will need to be performed on a regular basis to comply with the PCIDSS. This will allow for testing of their system access and identify concerns within...

Words: 3688 - Pages: 15

Premium Essay

Breach Tjz

...Problem Statement The main problem of the case is: • How should TJX improve and strengthen its IT security? What should be its short-term and long-term goals in-order to achieve this goal of strengthening its IT security? Inorder to solve this problem, TJX should identify and solve the following issues: • What are the people, work processes and technology failure points that require attention? • What practices led to the security breach in TJX and why did such a smart andprofitable organization as TJX face such a situation? • Was TJX a victim of ingenious cyber crooks or did it create risk by cutting corners? Financial Losses and related remedies: 1. TJX had booked a cost of $168 million for the data breach it had announced in February 2007. 2. $21 million is projected as a possible hit for 2008. 3. Three years of credit monitoring and identity theft insurance coverage for all the customers, whose identification information was compromised. 4. Offer vouchers to customers who shopped at TJX during security violation and who had incurred certain costs as a result of intrusion. b. Describe the industry situation Customers 1. Many customers use credit and debit cards for their shopping. 2. Customers take security issues very seriously and file class actions in the court against the company in any such critical situations. Traditional Competitors 1. Department and specialty stores. ...

Words: 733 - Pages: 3

Free Essay

Get Rich or Die Tryin

...card information. One of these corporations just happened to be TJX. The TJX network was not secure enough from the start. The company was using inadequate wireless security protocols. They used WEP security (wired equivalent privacy) which is easy to crack and a good hacker could break into this type of network security really fast. A hacker with a laptop could simply sit outside the store and break into the network in less than a minute. TJX should have been using the much stronger wireless security protocol WPA (WI-FI Protected Access Protocol). TJX also stored card data improperly. They stored credit card information such as pin codes and cvc codes which are on the back of most credit cards. PCI Data security standards states that sensitive data such as the PIN and CVC codes should not be stored. So the company broke protocol by storing this information. Even though a network breach occurred, this vital card information may have not been exposed if it wasn’t stored on the company network. Finally, the stored data was not encrypted. Another PDI protocol was broken by not properly encrypting the data. Any account number should be rendered unreadable according to the security protocols. TJX did not do this either which meant another protocol broken. These breaches of security had a significant impact on the TJX Company. Over 45 million card numbers were stolen which cost customers over 4 billion dollars. TJX was sued by the major card companies and by the...

Words: 396 - Pages: 2

Premium Essay

Week 1 Analysis

...Analysis of TJX Vulnerabilities Chantelle M. Jones ITT Technical Institute Online NT 2580 The breach that was made from “Operation Get Rich or Die Tryin’” compromised the customer’s credit card information when performing transactions with TJX. The credit card information was obtained and sold which forced the company to lose out on millions of dollars and their customers became victims of identity theft. TJX was vulnerable to breaches because they failed to implement a proper IT security infrastructure within their network. Customer confidential information was saved in plain text. It was not encrypted which makes it easier for attackers to obtain the information. They were not to be in compliance with payment card industry (PCI) security standards. TJX also did not restrict wireless access to their network and failed to notice 80 GB of stored data being transferred from their servers. They also did not follow up on security warnings and intruder alerts. It took IT seven months to discover the packet sniffer then failed to notify their customers. The attack escalated to a full-scale breach because even after the packet sniffer was discovered, there was no disaster recovery plan put into motion in order to stop the threat from doing more damage. They were noncompliant with numerous requirements for secure payment and transactions. One of which is the absence of logs. It would be much more difficult to eradicate threats without knowing when, how or where they took place....

Words: 280 - Pages: 2

Free Essay

Itt-Essay-01

...The IT security breach, caused by one Albert Gonzalez and his accomplices, is one of the most expensive lessons in corporate data security policies. For TJX this is more so as it is not only just that, it’s a black spot on the companies security record and has earned quite the problem as people no longer trust the company due to just how many security issues came to light with Albert’s breach. The TJX stores were foolishly using the relatively weak Wired Equivalent Privacy (WEP) protocol instead of updating to the stronger Wi-Fi Protected Access (WAP) protocol, making it much easier for the breaches to occur. However, the real damage came from the fact that the intruders were able to access the TJX internal systems, being able to move around freely for almost two years. The breaches occurred from the middle of the year 2005 and ran through December 2006, while an estimated 47.5 million records were stolen during that time period. TJX’s other security problem was because they allowed the hackers free roam for pretty much 18 months, showing the company didn’t keep proper traffic logs for their system, the company being unable to find them due to the need to look through all of their systems to try and determine just who it was that took what data, from where, where it was sent, and so on. Because of this, the investigation into the matter took them months and months, giving their opposition all that time to continue messing around their database. It’s also expected that TJX might...

Words: 625 - Pages: 3

Free Essay

It/205 Week 5 Checkpoint

...Checkpoint - TJX Companies IT/205 March 1, 2013 Checkpoint - TJX Companies This week’s checkpoint deals with the credit card data theft at TJX companies which occurred in July of 2005. According to the book Essentials of MIS, the thieves used a vulnerable wireless network from one of the department stores on the TJX network to gain access. (Laudon & Laudon, 2011, p. 243) After the thieves had access to the network the installed a sniffer program on one of the main computers of the network. They then were able to download any information that they needed to. The TJX Company was still using outdated weak wireless security encryption called WEP, (Wired Equivalent Privacy), instead of upgrading to a more secure version of wireless security, WPA, (Wi-Fi Protected Access). They also did not have any firewalls or data encryption in place. (Laudon & Laudon, 2011, p. 243). The tools that was needed to be in place to help stop this from happening was, the stronger wireless security of Wi-Fi Protected Access (WPA) standard with more complex encryption, they also needed to install strong firewalls, data encryption on computers, and to transmit credit card data to banks with encryption. This breach had some lasting effects on the TJX Company. One of the first effects was that the company had to strengthen the company’s information system security. They also had to agree to have a third-party auditor review their security measures every two years for the next twenty years...

Words: 388 - Pages: 2

Premium Essay

Understanding It Infrastructure Security Case Study

...Week 1: Understanding IT Infrastructure Security Case Study Hello my name is YGS and I am an Independent contractor for TJX, they have requested my assistant and I will be in charge of all IT matter at TJX. In recent happenings at TJX you should by now be aware that this company was breached by a hacker by the name of the Albert Gonzalez. He stole over $170 million dollars of customer’s credit card information. As a result TJX has taken a major financial loss and our honor and credibility is in question. The reason we are in question is because it turns out the matter was not discovered until an outside source (our gateway/payment-card processing) partners came in and performed an audit to then discover we were breached. Before the audit we should have caught the transfer of 80 GB of stored data by Mr. Gonzalez. Prior to any breach of this company TJX should have been compliant with the payment card industry compliance and validation regulations. In complying with the Federal Trade Commission (FTC) under FTC jurisdiction our IT team should be consistently taking measures in place to keep customer information secure at all times. By being on top of things we would have been less vulnerable to an attack of this size and speared the embarrassment of not discovering the breach for over seven months. To of eradicated this from ever happening TJX should have made sure that our payment gateway client was compliant with their firewall configuration, protect stored cardholder...

Words: 361 - Pages: 2

Free Essay

Rbc Cooper

...January of 2007 the parent company of TJMaxx and Marshalls known as TJX reported an IT security breach.   The intrusion involved the portion of its network that handles credit card, debit card, check, and merchandise return functions.   Facts slowly began to emerge that roughly 94 million customers’ credit card numbers were stolen from TJMaxx and Marshalls throughout 2006.   It was believed that hackers sat in the parking lots and infiltrated TJX using their wireless network. Most retailers use wireless networks to transmit data throughout the stores main computers and for credit card approval.   The wireless data is in the air and leaks out beyond the store’s walls.   TJX used an encryption code that was developed just as retailers began going wireless.   Wired Equivalent Privacy or WEP is a wireless encryption code developed in 1999 that retailers began to implement.   Within a couple of years hackers broke the encryption code and rendered WEP obsolete.   Many retailers In January of 2007 the parent company of TJMaxx and Marshalls known as TJX reported an IT security breach.   The intrusion involved the portion of its network that handles credit card, debit card, check, and merchandise return functions.   Facts slowly began to emerge that roughly 94 million customers’ credit card numbers were stolen from TJMaxx and Marshalls throughout 2006.   It was believed that hackers sat in the parking lots and infiltrated TJX using their wireless network. Most retailers use wireless networks...

Words: 314 - Pages: 2

Premium Essay

Computer Security & Privacy - Tjx

...Computer Security & Privacy - TJX Case Backgroud: TJX, largest apparel and home fashions retailers in the off-price segment was struck with Security Breach in all of its eight business units in US, Canada and Europe. Intruder had illegally accessed TJX payment system to hack personal and credit/debit card information of an unspecified number of customers. Security breach had affected Customers - pay for the purchases made by the intruders/ card invalidated / expiring the spending power, Financial Institutions –re-issue the cards for those customers whose information was compromised, Store Associates –change their credentials for system access, Vendors, Merchandisers - Modify the information shared due to mutual network and Richel Owen, CSO- design long and short term strategy to address the security breach issue. Intruders utilized the data stolen to produce bogus credit/debit cards that can be used at self-checkouts without any risks, and had also employed gift card float technique. Case Analysis: TJX learnt about the hacking on December, 2006 through the presence of suspicious software and immediately called in Security consultants for assistance. TJX had been intruded at multiple vulnerable points – Encryption, Wireless attack, USB drives, Processing logs, Compliance and Auditing practice. Encryption - Intruder had accessed the card information during the approval process and had the decryption key for the encryption software used in TJX. This can be addressed by purchasing...

Words: 620 - Pages: 3

Premium Essay

Identity Theft in Online Business

...Findings……………………………………………………………………..4 3.1 Issues of Online Identity Theft …………………………………………...4 3.2 Trends of Online Identity Theft……………………………………………5 4. Case Study………………………………………………………………………..7 4.1 Background…………………………………………………………………..8 4.2 Analysis……………………………………………………………………….8 5. Recommendations and Conclusions……………………………………..…9 Executive Summary Identity theft make a lot of customers and organisations suffer serious loss both financially and emotionally. It is necessary to build acknowledge of identity theft to protect the interest of customers and organisations. This report finds the different methods and trends of identity theft and gives some advices for protection. A case study of TJX breach case shows the harm of identity theft in an organisation. 1. Introduction The internet technology has greatly changed the world in which human live since 1990s. Nowadays, internet has gone deep into people’s daily life and its high productivity, efficiency and convince make people deeply rely on it. Online business and social network have become the most important contributions of internet. As the growth of e-commerce and number of users of social networking websites, the target of identity theft has broadened. In e-commerce, identity theft threats not only the customers’ information and property safety but also the interest of corporate. On the social networking websites such as Facebook, users usually use their real e-mail address...

Words: 2731 - Pages: 11