Good Example Of Case Study On Findings:

The security breach at TJX was first discovered on December 18, 2006 which was 18 months after the first intrusion in July, 2005. The breached systems were located in Framingham, and these processed and stored information on checks, credit cards and returned merchandise without receipts. TJX began an internal investigation and hired security consultants – IBM and the General Dynamics Corporation to assist in the investigation. TJX also notified law enforcement agencies and financial institutions such as banks, credit and debit card companies, and check-processing companies of the intrusion. According to banks and other credit card issuing institutions, approximately 94 million credit cards were compromised in the TJX attack leading to numerous cases of financial fraud, identity theft and numerous lawsuits by individuals and credit card issuers due to losses incurred. TJX was also advised by the US Secret Service to withhold public disclosure of the breach to allow for investigation until February 21, 2007. The information security breach at TJX exposed various vulnerabilities in their IT networks, systems and processes. Some managerial and organizational factors that could have contributed these weaknesses were also identified. The findings of the TJX breach are described below:
Inadequate security of wireless networks: TJX used the weak Wireless Equivalent Protocol (WEP) to secure wireless networks in its store. The WEP protocol is very insecure and can be cracked in a few in a few minutes. It also does not satisfy the industry standards that require the use of the more secure Wi-Fi Protected Access (WPA) protocol. The intruders were able to hack the wireless network at a Marshall’s store in St. Paul, Minnesota and gain access to the central database.
Lack of physical security of assets in stores: According to the case study, the intruders were able to access the in-store kiosks, opened them up, and used USB flash drives to load malicious software onto the terminals thus converting them into remote terminals which they used to connect to the TJX networks. The main issue in this case was negligence, poor security and monitoring of the in-store information assets.
Poor data encryption and lack of firewalls: TJX transmitted credit card data to the payment issuers without using encryption making it easy for intruders to intercept these transmissions. In its public statement, TJX also acknowledged that the hackers may have had access to the decryption tools for the encryption software that TJX used. It is also evident that the TJX network lacked proper firewall implementation since the intruders were able to gain access to the main network and the central database by tampering with the in-store kiosks and wireless network hotspots respectively. These attacks point directly to the lack of firewalls to defend against incoming traffic from wireless hotspots and the in-store kiosks.
Payment Card Industry (PCI) Data Security standards violation: According to the PCI Data Security standard 3.2, merchants are not supposed to store sensitive card data such as personal identification numbers (PIN), card-validation code (CVC) and full-track information after payment authorization has been received (Berg, Freeman & Schneider, 2008). However, the TJX audit showed records which included PINs and CVC numbers associated with customer credit cards, some even dating back to 2002.
Essentially PCI put the burden of adhering to its standards on the company for companies in Level 2 and 3 using self-assessment questionnaires and quarterly scans by an approved security vendor. These requirements are easily violated since the network scans are usually done automatically by McAfee and only on networks specified by the company. The scans do not include database scans that check for unencrypted data and in this case, TJX was in violation of PCI standards by keeping unencrypted data.
As per PCI standards and the Privacy Act, e-commerce sites and companies should only store the last four digits of a customer’s credit card number and so old credit card information with full numbers, CVCs and PINs requires manual deletion from the database since an automated network scan cannot detect it. In this regard, it is a company’s responsibility to protect all consumer data.
Lack of processing logs and regular system audits: TJX lacked processing logs on its IT systems which were necessary to conduct forensic analyses and audit trails on details such as file addition, access, changes, deletion, download etc. Processing logs are an essential requirement especially when processing millions of transactions. Apart from that, TJX did not conduct regular internal and external audits on system and network security since the security breach had lasted for almost 18 months before being detected. The company also lacked a risk mitigation and management strategy while the annual self-assessment questionnaires indicated non-compliance to PCI standards.

Recommendations and Future Action:

The recommended solution to the TJX breach is to align the business, organizational and information strategies by focusing on risk mitigation and management strategies, and sound IT governance policies. The immediate future plans would be to contain the breach and embark on a vulnerability fixing process.
The first thing in this action plan would be for TJX to upgrade its wireless network security protocols to WPA or the even more secure WPA 2 protocol in all stores. The second step is to ensure physical security of all information assets to ensure that they are not tampered with. Security measures may include installation of surveillance cameras at in-store kiosks and cash registers to ensure continuous vigilance. TJX should also implement firewalls to control incoming traffic from the kiosks and wireless hotspots into the system. To secure the databases, a three-tier architecture is recommended to completely separate the database layer from the application layer which the kiosks can access.
In terms of encryption, TJX should seek to implement strong encryption such as the Advanced Encryption Standard (AES) and the Message Digest 5 (MD5) hashing to store and transmit information since MD5 hashes cannot be reverse engineered while AES encryption is hard to crack. The company should also stop storing unnecessary customer data for long periods of time to ensure compliance with PCI standards. Process and access logs should also be maintained for the network and IT systems.
TJX should also come up with formal procedures and policies for risk management and conduct independent system audits on a quarterly basis and real-time system monitoring. An effective risk management strategy will include factors such as transparency, cost of operations, vulnerability avoidance and detection, and enhancing system capabilities (Ernest and Young, 2011). There should also be regular training for employees to raise awareness on the importance of IT security measures such as password sharing and leaving terminals without logging off to prevent internal security breaches. The TJX management should also reward employees who expose network and system vulnerabilities.

Conclusion:

After determining the causes of the TJX information systems breach, it is evident that this kind of breach was due to negligence and the use of outdated security practices. However, based on the findings and recommendations it is evident that the responsibility of ensuring security of information systems and networks relies completely on the company. It is therefore in their best interests that the management at TJX must drive a sound organizational strategy to secure its IT framework and meet its strategic goals.

References:

Berg, G., Freeman, M., & Schneider, K. (2008). Analyzing the TJ Maxx Data Security Fiasco. Nysscpa.org. Retrieved 4 February 2015, from http://www.nysscpa.org/cpajournal/2008/808/essentials/p34.htm
Ernest &Young,. (2011). Building confidence in IT programs: Facilitating success through program risk management (1st ed.). Ernest and Young. Retrieved from http://www.ey.com/Publication/vwLUAssets/EY_Building_confidence_in_IT_programs/$FILE/EY_Building_confidence_in%20IT_programs.pdf
McGregor, J. (2007). How the TJX breach may change security awareness. SC Magazine. Retrieved 4 February 2015, from http://www.scmagazine.com/how-the-tjx-breach-may-change-security-awareness/article/34806/
Sullivan, D. (2015). Essential Series Messaging and Web Security Volume III 1-6 (1st ed.). Realtime Publishers and McAfee Security. Retrieved from http://bandwidthco.com/whitepapers/itil/Essential%20Series%20Messaging%20and%20Web%20Security%20Volume%20III%201-6.pdf