Security Breach at Tjx
HBR Case Study
Security Breach at TJX
1. What are the (a) people, (b) work process and (c) technology failure points in TJX’s security that require attention?
While it is known that all retailers, large and small, are vulnerable to attacks, several factors including people, work process, and technology require attention so as to prevent another major attack from hitting TJX.
The people associated with the attack who need attention are the top-level executives and, more importantly, the Payment Card Industry Data Security Standard
(PCI DSS) auditors. Top-level executives need to understand that IT security is a business issue and not just a technology issue. As seen by the attack, an IT security breach can mean hundreds of millions of dollars in losses, which definitely has an adverse affect on the bottom-line of the business. Further, as a Level 1 business (those that processed over six million credit card transactions per year), the PCI DSS auditor had failed to accurately assess TJX’s network, missing three of twelve encryption requirements: absence of network monitoring, absence of logs, and the presence of unencrypted data stored on the system. The lack of thoroughness on the auditor’s part certainly made the penetration of the system by attacks easier, to the point where they were so confident that they would send each other encrypted messages through the backend of the system. Furthermore, the in-store clerks dropped the ball by not monitoring the self-checkout kiosks more heavily, which resulted in attackers using USB drives to upload software on those terminals!
Work process failure points that require attention are the personal information required for non-receipt merchandise returns, such as driver’s license and social security numbers. Either do not allow returns without a receipt or implement a system for nonreceipt returns that does not require the customer to give out very personal information.
Technology failure points at TJX
Security Breach at TJX
1. What are the (a) people, (b) work process and (c) technology failure points in TJX’s security that require attention?
While it is known that all retailers, large and small, are vulnerable to attacks, several factors including people, work process, and technology require attention so as to prevent another major attack from hitting TJX.
The people associated with the attack who need attention are the top-level executives and, more importantly, the Payment Card Industry Data Security Standard
(PCI DSS) auditors. Top-level executives need to understand that IT security is a business issue and not just a technology issue. As seen by the attack, an IT security breach can mean hundreds of millions of dollars in losses, which definitely has an adverse affect on the bottom-line of the business. Further, as a Level 1 business (those that processed over six million credit card transactions per year), the PCI DSS auditor had failed to accurately assess TJX’s network, missing three of twelve encryption requirements: absence of network monitoring, absence of logs, and the presence of unencrypted data stored on the system. The lack of thoroughness on the auditor’s part certainly made the penetration of the system by attacks easier, to the point where they were so confident that they would send each other encrypted messages through the backend of the system. Furthermore, the in-store clerks dropped the ball by not monitoring the self-checkout kiosks more heavily, which resulted in attackers using USB drives to upload software on those terminals!
Work process failure points that require attention are the personal information required for non-receipt merchandise returns, such as driver’s license and social security numbers. Either do not allow returns without a receipt or implement a system for nonreceipt returns that does not require the customer to give out very personal information.
Technology failure points at TJX