9.3 Assignment:Research Case Studies – TJX Case Study After reading the required case studies, use the (TJX Case Study Assignment Questions below) to synthesize and describe your outlook on how TJX handled the cybersecurity breach. You will research and describe guidelines, cost of computer intrusion, the state of retail stores preparedness, and possible defense strategies. TJX Case Study Questions 1. What guidelines could TJX use in : A. Determining that collection of customer information was not excessive? B. Determining if the appropriate safeguards had been put into place to protect customer data? 2. Cost of computer intrusion: A. Find the most updated total cost of the computer intrusion at TJX by reviewing the company’s quarterly reports in the period after the computer intrusion and searching the Internet for “cost of computer intrusion at TJX,” making sure your sources are reputable B. Make an updated approximation of how much TJX would have invested to provide safeguards that might have prevented the computer intrusion.Try searching for “cost of PCI compliance.” C. How would you compare the preventive cost to the final cost that TJX might have to pay for all intrusion related issues? 3. State of retail stores preparedness: A. Review the results of the 3000 retail stores survey from the AirDefense website (http://www.airdefense.net/newsandpress/11_15_07.php) How well are the 3000 retail stores that were surveyed protecting their customer data, and what is the likelihood of TJX-like computer intrusions at such retailers? B. Conduct a search over the Internet for “computer breaches” and describe any one of the major computer breaches that have occurred after the TJX intrusion. 4. Discuss and demonstrate from both policy and technological perspectives how TJX could have used the defense-in-depth strategy to create a defense that would have been much harder to penetrate. 5. Should Dennis advise his wife not to use a credit card due to safety issues? What can she do to protect herself? You should concentrate on examining the TJX case study. The assignment questions are designed to help you structure your paper. However, I want you to develop each section of the paper by writing on those subjects. In other words, don’t state the question and use a short answer format. The paper should transition from one topic to another. The questions should help you build the outline or table of contents for the paper. If you want to expand your research, consider some more recent retail breaches and discuss trends in cybersecurity practices. I realize some of the material is becoming somewhat outdated, so I encourage you to explore some more recent retail breaches. The body of the report will consist of an introduction, the research, and a summary Single-spaced and 4-8 pages with 1″ marginsInclude a title page with your name, course, and assignment titleInclude a table of contents and references pageThe entirety of the report should follow current APA guidelines for citations and references
Unformatted Attachment Preview
LESSONS FROM COMPUTER INTRUSION AT TJX
Benjamin Ngugi Suffolk University
Glenn S Dardick Longwood University
Gina Vega Salem, Salem State College
ANNOUNCEMENT OF COMPUTER INTRUSION AT TJX
The TJX Companies, Inc. today announced that it has suffered an unauthorized
intrusion into its computer systems that process and store information related to
customer transactions. While TJX has specifically identified some customer
information that has been stolen from its systems, the full extent of the theft and
affected customers are not yet known, read Dennis Frank from the TJX press
statement  dated January 17, 2007.
It was almost the end of the fall 2007 semester. Dennis, an assistant professor of Information
Technology at a Boston university, was preparing a class presentation from his home office on
the importance of customer data protection when his mind immediately focused on the computer
intrusion at TJX earlier in the year. No other computer intrusion case could have been more
relevant; he knew that several of his students were either directly affected or knew someone who
had been affected by the TJX computer intrusion. Further, some of the issues that led to the TJX
intrusion were now finding their way to the public via the media and the Internet, so the students
would have ready access to research materials. He began analyzing all the TJX press statements
about the computer intrusion.
Dennis was distracted briefly by his wife who was furiously typing a holiday shopping list on her
computer. The holiday season had arrived and they were inundated with special offers from the
retail companies. First there was the Thanksgiving series of sales, and now the Christmas series
had started. He wondered whether to warn her to use cash when doing her shopping, as credit
cards were becoming unsafe despite their many benefits and the purchase protection they
afforded. He went back to the article that he was reading.
This intrusion involves the portion of TJX’s computer network that handles credit
card, debit card, checks, and merchandise return transactions for customers of its
T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto
Rico, and its Winners and HomeSense stores in Canada, and may involve
customers of its T.K. Maxx stores in the U.K. and Ireland. The intrusion could
also extend to TJX’s Bob’s Stores in the U.S.
“This has the potential of becoming a real disaster,” thought Dennis. “The stolen cards’ customer
information could be used to make counterfeit cards which could lead to an identity theft crisis.”
Complicating matters further was the fact that the theft was across the majority of the subsidiary
companies, which increased the scale of affected customers.
The Company immediately alerted law enforcement authorities of the crime and
is working closely with them to help identify those responsible. TJX is also
cooperating with credit and debit card issuers and providing them with
information on the intrusion,
the press release continued.
How long had it taken the company to disclose the computer intrusion to the public? Every day
wasted could make a difference in a victim’s journey through identity theft. However, the
company had to balance the need for disclosure with the conflicting need to keep quiet long
enough to give the law enforcement agencies time to catch up with the hackers.
With the help of leading computer security experts, TJX has significantly
strengthened the security of its computer systems. While no computer security can
completely guarantee the safety of data, these experts have confirmed that the
containment plan adopted by TJX is appropriate to prevent future intrusions and
to protect the safety of credit card, debit card and other customer transactions in
Dennis was happy to see that the company had sought advice from experts on strengthening its
defense. The worst thing that could happen would be to have a repeat attack and theft of data.
That could take away any remaining investor-confidence in the company. He wondered how the
data thieves had penetrated the company’s security network and what layers of defense the
company had now erected to deter similar types of attacks in the future.
The TJX Companies, Inc
The TJX companies, Incorporated was one of the leading retailers of apparel and home fashions
in the USA and worldwide with annual sales hitting $17.4 billion in 2006 under the leadership of
Bernard Cammarata, Chairman of the Board, and Carrol Meyrowitz, President and Chief
Executive Officer .
The mission of the company was the delivery of an exciting, fresh and rapidly changing
assortment of brand-name merchandise at excellent values to their customers .
TJX traced its origin from the first Zayre discount department store  opened by cousins
Stanley and Sumner Feldberg in 1956 in Hyannis, Massachusetts. Zayre later incorporated in
1962 and went on to acquire several other companies. Zayres, Inc. was later renamed TJX Inc.
As of 2008, TJX operated eight businesses, including T.J. Maxx, Marshalls, Home goods, Bob’s
Stores and A.J Wright in the USA, Winners and Homesense in Canada, and T.K Maxx in
Europe . The group had over 2,400 stores with approximately 125,000 associates and placed
133rd in the Fortune 500 company ranking .
Update on the Computer Intrusion at TJX
Dennis moved on to the second press release from TJX dated February 21, 2007  giving an
update on the computer intrusion.
While the company previously believed that the intrusion took place only from
May, 2006 to January, 2007, TJX now believes its computing system was also
intruded upon in July 2005 and on various subsequent dates in 2005.
Dennis could not believe what he was reading. Did this mean that the data thieves hacked into
the system and continued stealing customer data from July, 2005 all the way to December, 2006
without being detected? How could such a large company not detect an intrusion for eighteen
months? What level of IT security personnel were responsible for IT network security? Did they
have a specific group within the IT organization that was responsible for IT network security?
Did they have a layered network security plan in place? At a minimum, didn’t they employ
intrusion detection systems? Didn’t they examine their logs to check for unauthorized file
Dennis had worked in the IT security industry and knew that it was now standard policy in most
organizations to employ top notch network security personnel. Such people would design the
right security policies and then institute several layers of security controls to enforce the policies.
Such controls would include segmenting the network into manageable units and putting in
firewalls and intrusion detection systems (IDS) to protect the data. The IDS would monitor and
detect abnormal/fraudulent user behavior and alert the network security officer. It was also now
standard procedure to monitor server log files to see who was accessing sensitive data files. He
felt it would not be asking too much to expect such a company to be doing the same.
In addition to the customer data the Company previously reported as
compromised, the Company now believes that information regarding portions of
the credit and debit card transactions at its U.S., Puerto Rican and Canadian stores
(excluding debit card transactions with cards issued by Canadian banks) from
January, 2003 through June, 2004 was compromised.
Dennis could understand why so many people were worried. Customers who had ever bought
something at any of the TJX group of companies had reason to fear that they would become
victims of identity theft, and things were getting worse. The hackers had accessed credit and
debit card information and were in a position to use this information to purchase things which
would be billed to the customers’ accounts.
TJX has found additional drivers’ license numbers together with related names
and addresses that it believes were compromised.
Why was the company keeping driving license numbers? Dennis was even more worried when
he remembered that some customers used their social security numbers as their driver’s license
numbers, making that group the most vulnerable to identity thieves.
He wanted a lot of answers and decided to look for an investigative report from a law
enforcement agency or some other independent institution. He searched the Internet for
“investigation on TJX computer intrusion,” and he got several hits. One was an investigation by
the Canadian privacy commissioner. He downloaded the full report from the commissioner’s
website and sat down to read it.
Report of an Investigation into the Security, Collection and Retention of Personal
Information at TJX
On January 17, 2007, the Office of the Privacy Commissioner of Canada (OPC)
and the Office of the Information and Privacy Commissioner of Alberta (AB
OIPC) were notified by TJX and by Visa that TJX had suffered a network
computer intrusion affecting the personal information of an estimated 45 million
payment cards in Canada, the United States, Puerto Rico, the United Kingdom
Dennis sighed with consternation. Forty-five million customers were now at risk because of the
TJX computer intrusion. This would go down in history as one of the biggest hacks ever. He
could not remember any other computer intrusion with such a large number of affected
customers. The stakes were high, and the business case for putting safeguards into such an
organization was strong, as the damage would be enormous. He wondered if he was jumping to
conclusions and should first try to find out how the intruders had hacked into the TJX system. He
came to the paragraph describing the penetration:
TJX informed the investigators that “the intruder may have gained entry into the system outside
of two stores in Miami, Florida.” Dennis almost missed it. From outside a store? Without going
inside? Of course! The intruders must have hacked into the wireless system by positioning
themselves strategically outside the two stores where they could get the wireless signal without
going through the security guard at the door. This was getting interesting. He wondered whether
the company had performed a wireless security risk analysis to identify the vulnerabilities of
wireless security systems. What kind of security safeguards did the company have in place to
prevent this kind of attack? He continued to the next paragraph.
At the time of the breach, TJX had in place various technical measures in its
North American stores to protect personal information, including the Wired
Equivalent Privacy (WEP) encryption protocol.
Dennis immediately identified one problem; WEP had been an obsolete encryption
technology for several years. Earlier in the year, he had attended a seminar on wireless
security and was well versed in the different wireless encryption technologies. The WEP
protocol had been known to be unsafe  since 2001; in fact, several programs were
widely available on the Internet that could be used to crack it in minutes. They could
even be executed on an IPAQ PDA (a small personal device) that could be brought into a
store undetected. The Institute of Electrical and Electronics Engineers (IEEE) was the
original drafter of the WEP standard. They later rejected WEP due to its insecurities and
strongly recommended that users should move to the new WPA (WI-FI protected access)
encryption system which had a more sophisticated algorithm and was, therefore, harder to
break . Dennis wondered why a company of TJX’s size and available resources in
terms of money and manpower would still be using such an outdated system.
He read on. The “intruders then used deletion technology to cover their tracks thus making it
impossible for TJX to determine the contents of the files created and downloaded by the
intruder.” Dennis could tell that these were professional hackers, not the usual high school kids
out to impress their peers with their computer hacking prowess. These were experts who deleted
the server logs to stymie detection of the intrusion and took pains to cover their tracks so that
they would not get caught by the law enforcement agencies. TJX could have avoided
compromising important data like credit card data files and the server logs by making regular
back-ups and keeping them at a different site. The backed up data could then have been used to
track the hackers. He went on to review the objectives and findings of the Canadian probe in the
TJX computer intrusion.
The goal of the investigation was to “examine the collection, retention and safeguarding
practices of the organization, in order to determine whether the breach could have been
prevented.” The investigators had set the right objectives. The issues of collection, retention and
safeguarding should form the core of a company’s information system security blueprint.
“Prevention is better than cure,” went the old adage. Keeping the collected information to an
absolute minimum would reduce the extent of the damage that could befall an organization like
TJX. Likewise, if only the absolute minimum of the collected information were retained, then the
amount of information to be protected was minimized. And finally, if the organization had strong
safeguards, then it meant that the information retained would be protected and therefore so costly
for hackers to access that it would not be worth the effort.
The first issue that the investigators were concerned with was “whether TJX had a reasonable
purpose for collecting the personal information affected by the breach.” This was very much in
line with the view of many IT security experts: only information that met a certain purpose
should be collected. Anything more would represent an unnecessary liability. Dennis could
understand why a company would want to collect names and addresses for credit card
verification. However, he could not understand why they had to store driver license numbers. If
they wanted a photo ID, they could ask for the driver’s license and compare it with the credit
card, but they did not need to enter this into the computer system.
The second issue that the investigators sought confirmation of was whether TJX’s retention of
customer data practice was in compliance with Canadian regulations. The investigators found
that the “collection of names and addresses was acceptable but that of driver license ID numbers
was excessive and contrary” to Canadian privacy laws. They determined that the TJX practice
contravened the privacy laws and regulations. Collecting and retaining unnecessary personal data
must have exacerbated the situation.
The third issue that the commission investigated was whether TJX had made reasonable security
arrangements to protect the personal information in its custody. Dennis knew that the
responsibility for protecting customer data lay with the company collecting the information. He
personally felt that the company should not have been using the WEP encryption protocol after
the IEEE declared it insecure.
At the end of September, 2005, TJX made a decision to improve the protection of
its wireless networks by installing the Wi-Fi Protected Access (WPA) encryption
protocols in its stores.
Dennis sighed; it was good the company had eventually realized the danger of using
WEP, but it was too late by then. The press update  had stated that the first TJX intrusion was
in July, 2005, so by the time they started upgrading to WPA the intruders were already into the
system, siphoning customer data out. If they had changed to WPA earlier, they might have
prevented the intrusion. Dennis was pleased to see that the “organization undertook forensic and
other investigations to audit and analyze the security of the TJX computer system, and to
enhance the security of the TJX computer system in a continuing effort by TJX to safeguard
against future attempted unauthorized intrusions” and was taking steps to rectify the situation,
but he wondered why they had to be hacked to do what they should have done earlier. He was
angry that so much had been lost because of something that could have been prevented.
The total losses from the intrusion would not be known for some time. By the second quarter
earning report  in August, 2007, TJX had put aside $196 million before taxes as an estimated
provision to cover the liabilities in anticipation of the suits that were bound to follow. This was
in addition to the $25 million charge before taxes that they had taken earlier. The quarterly report
further suggested that the company might have “to take an extra $35 million in the next financial
year.” This totaled about $256 million, and the figure was increasing. In fact, some research
firms estimated that “the total loss from the breach could reach $1 billion once settlement and
lost sales were tallied.” [3 This was a monumental figure by any account.
It would be good to compare the total loss with what TJX would have spent to fix the initial
WEP problem and safeguard the customer data, thus avoiding the computer intrusion. Dennis
could not get any exact figure so he decided to make a rough estimate. He knew that retailers like
TJX that processed debit/credit cards from the major four credit card issuers (Visa, MasterCard,
American Express and Discover) had to meet certain standards  set by the payment card
industry (PCI). These consisted of twelve rules which were explicit in the layers of security
controls that had to be erected to protect credit card data. The rules called for the proper
installation of firewalls, access controls, encryption of data across open networks, regular
software updates and monitoring of networks, and maintaining a sound information security
policy. This layered defense would provide a formidable obstacle to hacking. (See Appendix A
for an illustration of the Defense-in-Depth Strategy).
Dennis emailed one of the leading security consultants he knew for an approximate figure on
what a company like TJX would have incurred in becoming PCI compliant.
“I cannot address TJX in particular but I know of an information-intensive
company that has spent more than $20 million in order to be PCI compliant. This
was a company that possessed many, many millions of individual personal
identifiers, including social security numbers and had to be PCI compliant, level
one, because it processes in excess of six million credit card transactions annually.
So obviously, it has a significant retail operation,”
replied the security consultant. After chatting a bit longer, Dennis returned to his course
preparation and decided to use the given figure as an upper limit. He did further
investigation searching for real companies that had gone through PCI compliance. The
Wall Street Journal  reported that the “musical-instruments retailer Guitar Center Inc,
which operates more than 210 stores nationwide and processes several million paymentcard transactions a year, had purchased nearly $500,000 of new technology in the past
year in order to comply with the PCI standards.” Dennis could not do a direct
comparison as this company had 210 stores while TJX had 2,400 stores, so he computed
the cost per store of about $2,380. Multiplying the cost per store by TJX total stores gave
a figure of about $5.7 million. The same article stated that “the biggest merchants, those
that process six million or more payment-card transactions a year from any single card
brand, spent an average of $568,000 on new technologies to comply with the PCI security
standards, according to estimates from Gartner, Inc.” In the case of TJX, there were
embedded eight such large merchant businesses. T.J. Maxx, Marshalls, Home goods,
Bob’s Stores, and A.J Wright in the USA, Winners and Homesense in Canada, and T.K
Max in Europe were all subsidiaries of TJX and each processed six million …
Purchase answer to see full