Analysis Of The Case Study On Security Breach At TJX

The major issue in the case

TJX was a parent company based in Framingham, Massachusetts. It has more than 2600 discount fashion and home accessories retail stores all over USA, Europe and Mexico. TJX’s systems were penetrated by hackers in 2003 to mid 2005 and stole 46 million credit and debit card details making it United States largest data breach. TJX delayed announcing the intrusion news to public until January of 2007. TJX in 2005 was still using WEP (Wired Equivalent Privacy) for its wireless systems transmissions, even though in 2001 WPA (Wifi Protected Access) became new standard.

Past further investigation in 2007, VISA disclosed that TJX had been storing credit card numbers and expiration dates in its system which violated PCI DSS and contradicted TJX’s annual reports. It was believed that this stored data was compromised by hackers gaining access to it in unencrypted form either because data was never encrypted or because TJX had been unable to protect its encryption algorithm.

How I would manage this issue

Firstly gather decision makers including legal entities to address the issue by assessing scope of the breach. Following by that engage IT to contain the breach immediately.

Notify customers and consumers post the breach. Document and handle legal policies procedures to report the event. Contact insurance agents and carriers they had in place.

Short Term: Replace the existing WEP with WPA secured system.

Would and should not be saving the magnetic strip card details Will be changing the encryption methodology of saving customer personal identification data. Will be reviewing what kind of information is getting collected and avoid gathering unnecessary sensitive information.

Would disable all USB ports in store kiosks, also lock down kiosks so customers would not be able to run other application programs.

Have multiple firewalls to segment access to sensitive information from other systems traffic.

Would also run testing on e-commerce site for vulnerabilities to avoid flaws for SQL injections and etc.

On Long Term: Understanding to consider the difference between money being spent on information technology security as business decision rather than technology issue.

Some recommendations can be: To have a process to update all the the critical software components and also apply the security patches released by vendors.

Hire white-hat hackers/Ethical hackers to detect potential loopholes in the system and fix them accordingly to avoid actual hackers to exploit. Having log monitoring and doing log analysis to detect the anolmolies can improve the system. Systems like Fisheye and Splunk prelert provide this service by detecting malware from the logs.

Design and implement a program for all associates to not to leave terminals un attended, connect to their personal devices to in-store networkUpgrade the POS system to ‘Chip and PIN’ technology enabled card readers, protecting debit and credit cards. Many of POS systems previously have been hacked because of POS malware.

Updates to the case

It was a group of 11 people known as the Gonzalez Gang named after their leader Albert Gonzalez was held responsible for this breach of stealing 40 million credit and debit card details. The gang was from Miami, City Officials from Miami believe the TJX issue, began when hackers broke into their insecure wireless networks at two Marshalls locations. It was estimated this incident to TJX to cost close to 250 million dollars as per their corporate filing.

Settlements that were reached by TJX were free credit monitoring services for three years to customers and consumers whose driving license was exposed in breach, Plus cash reimbursements, Vouchers and promised three day customer appreciation event that following year, during which company planned to provide 15% off on its goods. Despite being the biggest, costliest and most written-about breach ever, customer and investor confidence in TJX had remained largely unshaken for the following year. TJX's stock was worth about $30 per share when the breach was disclosed, and its closing price was just over $29 after one year of its incident. In the year 2013, Home Depot was affected similar to that of TJX, it costed Home Depot close to $80 million in losses and US Credit Unions close to $60 million in addition credit card fraud. It was disclosed that hackers infected the Home Depot POS system with a variant of malware that was used in TJX attack. Similarly hackers were able to harness credit card data information from in store over period of some several months.