Tuesday, March 18, 2014

SECURITY BREACH AT TJX - Analysis

Problem Statement

 The main problem of the case is:
·         How should TJX improve and strengthen its IT security? What should be its short-term and long-term goals in-order to achieve this goal of strengthening its IT security?
Inorder to solve this problem, TJX should identify and solve the following issues:
·         What are the people, work processes and technology failure points that require attention?
·    What practices led to the security breach in TJX and why did such a smart and profitable organization as TJX face such a situation?
·         Was TJX a victim of ingenious cyber crooks or did it create risk by cutting corners?

 Background

        a.     Describe the company/department

            History

    1. TJX was the largest apparel and home fashion retailer in United States in the off-price segment and is ranked 138th in fortune 500 companies in 2006.
    2.  TJX sold brand apparels at prices 20 to 70% lower than department or specialty stores
    3. TJX has eight independent businesses under a common umbrella. They had over 2400 stores and about 125,000 associates.

           Conditions

    1. Operational efficiency, vendor relationships and scale, which are crucial to an off-price store, are well maintained in TJX.
    2. Quality of internal IT systems was crucial to maintain margins and to stay competitive.
    3.  IT systems help TJX connect people, places and information in the value chain.
    4. TJX buys merchandise from manufacturers throughout the year irrespective of seasonality and trends.

 Strengths

    1. Vendors, buyers, merchandisers, customers, store associates and financial institutions are well connected through TJX’s IT networks.
    2. In-store technologies such as kiosks and hand-held price/inventory barcode helped in their customer services and differentiated them from their competitors.
    3. They have also invested in CRM to increase revenues by targeting most profitable customers.

            Weaknesses

    1. PCI DSS has showed that TJX had not met nine of the twelve requirements covering encryption, access controls and firewalls.
    2. Their auditors failed to identify three key problems with TJX systems i.e. absence of network monitoring, absence of logs and presence of unencrypted data stored on their systems.
    3. TJX has retained customer data years after it should have been purged.
    4. TJX doesn’t have a CSO till 2006, which indicate their low responsibility towards their IT security

            Storage Systems:

    1.  TJX currently have two main storage systems i.e. Framingham system and Watford system.
    2. Watford system processed and stored information related to payment card transactions at T.J.Maxx in UK and Ireland. Framingham system processed and stored information pertaining to debit and credit card transactions of customers from all the other locations
    3. TJX stored the driver’s license numbers and ID numbers such as SSN along with names and addresses of customers who had returned goods.

               Financial Losses and related remedies:

    1. TJX had booked a cost of $168 million for the data breach it had announced in February 2007.
    2. $21 million is projected as a possible hit for 2008.
    3. Three years of credit monitoring and identity theft insurance coverage for all the customers, whose identification information was compromised.
    4. Offer vouchers to customers who shopped at TJX during security violation and who had incurred certain costs as a result of intrusion.

b.    Describe the industry situation

           Customers

    1.  Many customers use credit and debit cards for their shopping.
    2. Customers take security issues very seriously and file class actions in the court against the company in any such critical situations.

           Traditional Competitors

    1. Department and specialty stores.

            Opportunities

    1. Strong customer base and loyalty.
    2. Availability of feasibility of IT systems helped rapid delivery of data, facilitating quick decisions at different levels.
    3. CRM technologies helped retailers in increasing their revenues through focusing on most profitable customers.

                  Threats

    1.  Security intrusions could lead to heavy loss to the company.
    2. Customer loyalty is a driving force for profits and any security breaches would create a huge impact on it.
    3. Wireless is a popular means of attacking retail chains.

Key Issues

   a.            Issue #1: Cause of technology Failures and computer intrusions.

            Sub issue: Wireless attacks

   b.           Issue #2: Identifying the issues/ drawbacks related to work processes.

   c.            Issue #3: Increasing the awareness of employees towards these security violations.

            Sub Issue: Digital Eavesdropping

 Relevant Areas, Facts, Conclusions

   a.            Relevant areas for Issue #1

      1)           Encryption Techniques

    1. The encryption algorithm (WES) used by TJX is very weak. WES decryption is available online via simple google searches
    2. They also recognized a window of time in which the credit card numbers are decrypted and during that time duration of less than a second, captured all the required data.

              Conclusion: TJX had an encryption system which is outdated and is prone to security risks.

      2)           Wireless Attacks

    1. Thieves used telescope-shaped antennas and decoded data streaming through the air between hand-held price-checking devices, cash registers and the store’s computers.
    2. They also captured the IP addresses, captured lots of data and used that data to crack the encryption code.

          Conclusion: Even though wireless is known as popular means of attacking, TJX has not taken            proper precautions to make its security systems strong.

   b.           Relevant areas for Issue #2

      1)           USB drives at in-store kiosks:

    1. The people who started the breach has started with in-store kiosks.
    2. They opened back of those terminals and used USB drives to load softwares. They turned these computer kiosks into remote terminals that connected into TJX’s networks.
    3. Mainly, Firewalls are not set to defend any traffic from kiosks.

           Conclusion:  TJX has not firewalled all the devices that are connected to their network.

      2)        Processing Logs:

    1. TJX did not maintain any log data of their customer transactions, which was very crucial to identify the no. of cards at risk.
    2. These logs usually provide information about files on the system, when they had been added, changed, accessed, the format of contents and so on.

         Conclusion: Logs are very important to track any previous transactions and TJX has not taken          care to monitor them properly.

      3)           Compliance and auditing Practices

    1. Court documents showed that TJX had not met nine of the dozen requirements covering encryption, access controls and firewalls.
    2. The auditors has failed in noting three main issues i.e. absence of network monitoring, absence of logs and presence of unencrypted data.
    3. TJX has also retained its customer data years after it should have been purged

       Conclusion: TJX’s auditing team is very bad as they could not monitor the major issues pertaining in TJX.

   c.            Relevant areas for Issue #3

      1)           Digital Eavesdropping

    1. The hackers digitally eavesdropped on employees logging into TJX’s central database.
    2. They used these details to create their own accounts and were also able to access TJX systems from any computer on the internet

         Conclusion: TJX haven’t educated its employees regarding the security violations and has                 also not monitored them.

Recommendations

   a.         Recommendations for Issue #1:

    1. TJX should improve its encryption techniques and test them under various circumstances. TJX should employ companies which encrypt data and completely modify their current techniques.
    2. They should firewall their wireless networks properly and monitor them from any external intrusions.

  b.     Recommendation for Issue #2:

    1. TJX should make sure that all the devices, especially their in-store kiosks, which are connected to their main network is firewalled and monitored regularly.
    2. TJX should log all the transactions happening in their stores and save them into their databases with proper authentication.
    3. TJX should delete all the unwanted data and make sure that they maintain the PCI DSS standards.

  c.    Recommendation for Issue #3: TJX should train its employees regarding the security violations and monitor them so that any of their credentials will not be leaked outside TJX. They should also employ proper IT security team and monitor their traffic regularly.


    d.           In a short term, TJX should eliminate all the issues pertaining their IT security and in a long term, they should gain their customers confidence and make sure that their IT systems are working properly, firewalled and are reliable for any customer transactions.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)