Security Breach at Tjx

Security breach at TJX

Executive Summary

TJX Companies Inc. (TJX) is a leading off-price apparel and home fashions retailer with headquarters in the United States.  In December 2006, the company discovered it was a victim to a massive security breach which compromised millions of customer records.  As the company financials took a hit, TJX was faced with pending lawsuits from credit card companies and affected customers; government scrutiny of IT security standards; and loss of customer confidence.

Due to the obsolete encryption technology, insecure wireless security, inadequate logging of data access and updates, and incompliance of retention standards for customer information, TJX companies breach has been labeled the largest data breach in the history of security breach and the ultimate wake-up call for corporations.  The company needs to address the IT security problems and tighten and improve systems; also to minimize risks to avoid reoccurrence of future attacks.

The recommendation is to develop the IT security plan by adopting Andriole’s approach.  TJX should establish detailed plans and procedures to both minimize the risks and deal with problems when they occur.  The short-term priority should focus on correcting loopholes and comfort the affected customers; in long-term, TJX should ensure security risks are assessed regularly and preventive measures are put in place for information security.

Current Situation

TJX Companies Inc. (TJX) was the largest apparel and home fashions retailer in the United States in the off-price segment.  It operated eight independent businesses under a common umbrella – T.J. Maxx, Marshalls, HomeGoods, A.J. Wright and Bob’s Stores in the United States; Winners and HomeSense in Canada; and T.K. Maxx in Europe.

On December 18, 2006, the company learned of hacking, and it affected all the eight businesses of the company and all the stores in the United States, Puerto Rico, Canada and the United Kingdom.  The company started an internal investigation and called in security consultants to contain the intrusion and protect consumer data, they also notified law enforcement officials.  On February 21, 2007, TJX made a public announcement of the timing and scope of the intrusion.  The span of unauthorized access went unnoticed from the first hacking in July 2005 and no one discovered the break-ins for more than 18 months.  The files pertained to records as far as 2002 were stolen from their ‘Framingham system’, and some data was stolen during the payment card approval process. Numbers of data were vulnerable to theft.

This is the largest breach of personal data ever reported in the history of IT security, 94 million credit and debit cardholders were compromised.  Lawsuits by credit card issuers, financial institutions, and individual had been filed against TJX in state and federal courts, and in provincial Canadian courts.  Numerous cases of identity fraud were reported.  US$168 million which was booked as cost for the data breach would position TJX at financial loss.  Also, the confidence and creditability among the customers are deteriorated.  TJX entered into a settlement agreement, which agreed to offer three years of credit monitoring with identity theft insurance coverage, reimbursement for the replacements of driver’s license, offer of vouchers and organized customer appreciation special sales event.

The newly hired chief security office, Owen Richel identified TJX systems had been intruded upon at multiple points of attack, including obsolete encryption technology (WEP), weak insecure wireless network, improper use of USB drives at in-store kiosks, incapable of maintaining the processing logs, and incompliance of compliance and auditing practices.

This case presents a ‘wake-up call’ for retail companies about the importance of IT security and for the prevention of future attacks.

Criteria

The following criteria will be used to evaluate any actions taken by TJX:

1. IT infrastructure to support encryption technology and wireless network.
2. Education and training for employees about the role of security and the ways of protecting vital resources.
3. Establish security policy for detailed security planning.
4. Establish user authentication and authorization procedures.
5. Within economic feasibility.
6. Compliance to government security standards (PCI DSS).
7. Tighten up the controls and security for any intentional or unintentional errors and risks.

Analysing the IT infrastructure is important in order to understand if the current IT infrastructure is capable to support the upgrade of encryption technology and the increase of security level for wireless network or signal, such as multi-layered firewalls.  Education and training to staff about the security risks are necessary as well since the negligence of the terminals had allowed hackers to enter the network.  Establishment of security policy can mitigate the probability and impact of security breach; especially when TJX did not react when they first found the intrusion.  Finally, TJX had to turn to the actions in timely method since the data was exposed to identity theft.