Problem Statement
The main problem of the case is:
·
How should TJX
improve and strengthen its IT security? What should be its short-term and
long-term goals in-order to achieve this goal of strengthening its IT security?
Inorder to solve this
problem, TJX should identify and solve the following issues:
·
What are the
people, work processes and technology failure points that require attention?
· What practices
led to the security breach in TJX and why did such a smart and profitable
organization as TJX face such a situation?
·
Was TJX a victim
of ingenious cyber crooks or did it create risk by cutting corners?
Background
a. Describe the company/department
History
- TJX
was the largest apparel and home fashion retailer in United States in the
off-price segment and is ranked 138th in fortune 500 companies in
2006.
- TJX
sold brand apparels at prices 20 to 70% lower than department or specialty
stores
- TJX
has eight independent businesses under a common umbrella. They had over 2400
stores and about 125,000 associates.
- TJX was the largest apparel and home fashion retailer in United States in the off-price segment and is ranked 138th in fortune 500 companies in 2006.
- TJX sold brand apparels at prices 20 to 70% lower than department or specialty stores
- TJX has eight independent businesses under a common umbrella. They had over 2400 stores and about 125,000 associates.
Conditions
- Operational
efficiency, vendor relationships and scale, which are crucial to an off-price
store, are well maintained in TJX.
- Quality
of internal IT systems was crucial to maintain margins and to stay competitive.
- IT
systems help TJX connect people, places and information in the value chain.
- TJX
buys merchandise from manufacturers throughout the year irrespective of
seasonality and trends.
- Operational efficiency, vendor relationships and scale, which are crucial to an off-price store, are well maintained in TJX.
- Quality of internal IT systems was crucial to maintain margins and to stay competitive.
- IT systems help TJX connect people, places and information in the value chain.
- TJX buys merchandise from manufacturers throughout the year irrespective of seasonality and trends.
Strengths
- Vendors,
buyers, merchandisers, customers, store associates and financial institutions
are well connected through TJX’s IT networks.
- In-store
technologies such as kiosks and hand-held price/inventory barcode helped in
their customer services and differentiated them from their competitors.
- They
have also invested in CRM to increase revenues by targeting most profitable
customers.
- Vendors, buyers, merchandisers, customers, store associates and financial institutions are well connected through TJX’s IT networks.
- In-store technologies such as kiosks and hand-held price/inventory barcode helped in their customer services and differentiated them from their competitors.
- They have also invested in CRM to increase revenues by targeting most profitable customers.
Weaknesses
- PCI
DSS has showed that TJX had not met nine of the twelve requirements covering
encryption, access controls and firewalls.
- Their
auditors failed to identify three key problems with TJX systems i.e. absence of
network monitoring, absence of logs and presence of unencrypted data stored on
their systems.
- TJX
has retained customer data years after it should have been purged.
- TJX
doesn’t have a CSO till 2006, which indicate their low responsibility towards
their IT security
- PCI DSS has showed that TJX had not met nine of the twelve requirements covering encryption, access controls and firewalls.
- Their auditors failed to identify three key problems with TJX systems i.e. absence of network monitoring, absence of logs and presence of unencrypted data stored on their systems.
- TJX has retained customer data years after it should have been purged.
- TJX doesn’t have a CSO till 2006, which indicate their low responsibility towards their IT security
Storage
Systems:
- TJX
currently have two main storage systems i.e. Framingham system and Watford
system.
- Watford
system processed and stored information related to payment card transactions at
T.J.Maxx in UK and Ireland. Framingham system processed and stored information
pertaining to debit and credit card transactions of customers from all the
other locations
- TJX
stored the driver’s license numbers and ID numbers such as SSN along with names
and addresses of customers who had returned goods.
- TJX currently have two main storage systems i.e. Framingham system and Watford system.
- Watford system processed and stored information related to payment card transactions at T.J.Maxx in UK and Ireland. Framingham system processed and stored information pertaining to debit and credit card transactions of customers from all the other locations
- TJX stored the driver’s license numbers and ID numbers such as SSN along with names and addresses of customers who had returned goods.
Financial
Losses and related remedies:
- TJX
had booked a cost of $168 million for the data breach it had announced in
February 2007.
- $21
million is projected as a possible hit for 2008.
- Three
years of credit monitoring and identity theft insurance coverage for all the
customers, whose identification information was compromised.
- Offer
vouchers to customers who shopped at TJX during security violation and who had
incurred certain costs as a result of intrusion.
- TJX had booked a cost of $168 million for the data breach it had announced in February 2007.
- $21 million is projected as a possible hit for 2008.
- Three years of credit monitoring and identity theft insurance coverage for all the customers, whose identification information was compromised.
- Offer vouchers to customers who shopped at TJX during security violation and who had incurred certain costs as a result of intrusion.
b. Describe the industry situation
Customers
- Many
customers use credit and debit cards for their shopping.
- Customers
take security issues very seriously and file class actions in the court against
the company in any such critical situations.
- Many customers use credit and debit cards for their shopping.
- Customers take security issues very seriously and file class actions in the court against the company in any such critical situations.
Traditional
Competitors
- Department
and specialty stores.
- Department and specialty stores.
Opportunities
- Strong
customer base and loyalty.
- Availability
of feasibility of IT systems helped rapid delivery of data, facilitating quick
decisions at different levels.
- CRM
technologies helped retailers in increasing their revenues through focusing on
most profitable customers.
- Strong customer base and loyalty.
- Availability of feasibility of IT systems helped rapid delivery of data, facilitating quick decisions at different levels.
- CRM technologies helped retailers in increasing their revenues through focusing on most profitable customers.
Threats
- Security
intrusions could lead to heavy loss to the company.
- Customer
loyalty is a driving force for profits and any security breaches would create a
huge impact on it.
- Wireless
is a popular means of attacking retail chains.
- Security intrusions could lead to heavy loss to the company.
- Customer loyalty is a driving force for profits and any security breaches would create a huge impact on it.
- Wireless is a popular means of attacking retail chains.
Key
Issues
a.
Issue
#1: Cause of technology Failures and computer intrusions.
Sub
issue: Wireless attacks
b.
Issue
#2: Identifying the issues/ drawbacks related to work processes.
c.
Issue
#3: Increasing the awareness of employees towards these security violations.
Sub
Issue: Digital Eavesdropping
Relevant
Areas, Facts, Conclusions
a.
Relevant
areas for Issue #1
1)
Encryption
Techniques
- The
encryption algorithm (WES) used by TJX is very weak. WES decryption is
available online via simple google searches
- They
also recognized a window of time in which the credit card numbers are decrypted
and during that time duration of less than a second, captured all the required
data.
- The encryption algorithm (WES) used by TJX is very weak. WES decryption is available online via simple google searches
- They also recognized a window of time in which the credit card numbers are decrypted and during that time duration of less than a second, captured all the required data.
Conclusion:
TJX had an encryption system which is outdated and is prone to security risks.
2)
Wireless
Attacks
- Thieves
used telescope-shaped antennas and decoded data streaming through the air
between hand-held price-checking devices, cash registers and the store’s
computers.
- They
also captured the IP addresses, captured lots of data and used that data to
crack the encryption code.
- Thieves used telescope-shaped antennas and decoded data streaming through the air between hand-held price-checking devices, cash registers and the store’s computers.
- They also captured the IP addresses, captured lots of data and used that data to crack the encryption code.
Conclusion:
Even though wireless is known as popular means of attacking, TJX has not taken proper precautions to make its security systems strong.
b.
Relevant
areas for Issue #2
1)
USB
drives at in-store kiosks:
- The
people who started the breach has started with in-store kiosks.
- They
opened back of those terminals and used USB drives to load softwares. They
turned these computer kiosks into remote terminals that connected into TJX’s
networks.
- Mainly,
Firewalls are not set to defend any traffic from kiosks.
- The people who started the breach has started with in-store kiosks.
- They opened back of those terminals and used USB drives to load softwares. They turned these computer kiosks into remote terminals that connected into TJX’s networks.
- Mainly, Firewalls are not set to defend any traffic from kiosks.
Conclusion:
TJX has not firewalled all the devices
that are connected to their network.
2) Processing
Logs:
- TJX
did not maintain any log data of their customer transactions, which was very
crucial to identify the no. of cards at risk.
- These
logs usually provide information about files on the system, when they had been
added, changed, accessed, the format of contents and so on.
- TJX did not maintain any log data of their customer transactions, which was very crucial to identify the no. of cards at risk.
- These logs usually provide information about files on the system, when they had been added, changed, accessed, the format of contents and so on.
Conclusion:
Logs are very important to track any previous transactions and TJX has not
taken care to monitor them properly.
3)
Compliance
and auditing Practices
- Court
documents showed that TJX had not met nine of the dozen requirements covering
encryption, access controls and firewalls.
- The
auditors has failed in noting three main issues i.e. absence of network monitoring,
absence of logs and presence of unencrypted data.
- TJX
has also retained its customer data years after it should have been purged
- Court documents showed that TJX had not met nine of the dozen requirements covering encryption, access controls and firewalls.
- The auditors has failed in noting three main issues i.e. absence of network monitoring, absence of logs and presence of unencrypted data.
- TJX has also retained its customer data years after it should have been purged
Conclusion:
TJX’s auditing team is very bad as they could not monitor the major issues pertaining in TJX.
c.
Relevant
areas for Issue #3
1)
Digital
Eavesdropping
- The
hackers digitally eavesdropped on employees logging into TJX’s central
database.
- They
used these details to create their own accounts and were also able to access
TJX systems from any computer on the internet
- The hackers digitally eavesdropped on employees logging into TJX’s central database.
- They used these details to create their own accounts and were also able to access TJX systems from any computer on the internet
Conclusion:
TJX haven’t educated its employees regarding the security violations and has also not monitored them.
Recommendations
a. Recommendations
for Issue #1:
- TJX
should improve its encryption techniques and test them under various
circumstances. TJX should employ companies which encrypt data and completely
modify their current techniques.
- They
should firewall their wireless networks properly and monitor them from any
external intrusions.
- TJX should improve its encryption techniques and test them under various circumstances. TJX should employ companies which encrypt data and completely modify their current techniques.
- They should firewall their wireless networks properly and monitor them from any external intrusions.
b. Recommendation
for Issue #2:
- TJX
should make sure that all the devices, especially their in-store kiosks, which
are connected to their main network is firewalled and monitored regularly.
- TJX
should log all the transactions happening in their stores and save them into
their databases with proper authentication.
- TJX
should delete all the unwanted data and make sure that they maintain the PCI
DSS standards.
- TJX should make sure that all the devices, especially their in-store kiosks, which are connected to their main network is firewalled and monitored regularly.
- TJX should log all the transactions happening in their stores and save them into their databases with proper authentication.
- TJX should delete all the unwanted data and make sure that they maintain the PCI DSS standards.