Ans: When security upgrades are made available, it’s because they’re necessary, not because software developers have thought up some great new software gimmick. Hackers are able to bypass the old systems too easily, so better security is needed to keep the hackers out. TJX ignored the need for better e-security, and even neglected to install one particular upgrade they had purchased.
2. What management, organization, and technology factors contributed to these weaknesses?
Ans: Management: While one may not think of it as a weakness, the management’s reluctance to report the stolen laptop and the contents of the hard drive contributed to the difficulty in finding the laptop before the data was compromised. Organizations: VA operations should have limited the data accessible to the employees to only the data needed in order to effectively do this job. Lack of promoting the sensitivity of the data led to a careless attitude regarding the protection of the data. Technological: At a minimum the data should have been encrypted and password protected. As a practical measure, the laptop should have been protected at the BIOS level if that sensitivity of data was contained.
3. What was the business impact of TJX’s data loss on TJX, consumers, and banks?
Ans: TJX faces consumer and bank class action lawsuits over the exposure of as many as 100m customer records as the result of a security breach that lasted for two distinct six-month periods between 2003 and December 2006. Hackers broke into a system that stored data on credit card, debit card, cheque, and return details in an attack blamed on a poorly secured wireless network in one of its stores. Subsequent credit card frauds have been traced to data swiped as a result of these breaches, and a number of arrests have been made.
4. How effectively did TJX deal with these problems?
Ans: Not well enough. The $40.9 million fund for the