Tjx It Security Breach
Part I: Description
In January of 2007 the parent company of TJMaxx and Marshalls known as TJX reported an IT security breach. The intrusion involved the portion of its network that handles credit card, debit card, check, and merchandise return functions. Facts slowly began to emerge that roughly 94 million customers’ credit card numbers were stolen from TJMaxx and Marshalls throughout 2006. It was believed that hackers sat in the parking lots and infiltrated TJX using their wireless network.
Most retailers use wireless networks to transmit data throughout the stores main computers and for credit card approval. The wireless data is in the air and leaks out beyond the store’s walls. TJX used an encryption code that was developed just as retailers began going wireless. Wired Equivalent Privacy or WEP is a wireless encryption code developed in 1999 that retailers began to implement. Within a couple of years hackers broke the encryption code and rendered WEP obsolete. Many retailers never changed to updated encryption codes such as WPA or WPA2. TJX never upgraded and once hackers got access, they were able to sniff out transmissions and see where they were going and view information logged into a central server. Of the seven Basel II detailed loss event types, this event would be considered a level 3 category external fraud.
Part II: Risk Factors
The risk factors that contributed to this event are: Using obsolete encryption technology, prolonged detailed customer/credit information storage, and wireless IT system/signals that link directly to customer database. These factors would be classified within the technology and information elements in Alter’s work system framework.
Using the WEP data encryption technology affects the probability of a risk event. WEP has already been decoded and deemed obsolete. TJX wasn’t specifically targeted, but became an opportunity. Hackers drove around retailers’ parking lots searching for WEP wireless signals.
In January of 2007 the parent company of TJMaxx and Marshalls known as TJX reported an IT security breach. The intrusion involved the portion of its network that handles credit card, debit card, check, and merchandise return functions. Facts slowly began to emerge that roughly 94 million customers’ credit card numbers were stolen from TJMaxx and Marshalls throughout 2006. It was believed that hackers sat in the parking lots and infiltrated TJX using their wireless network.
Most retailers use wireless networks to transmit data throughout the stores main computers and for credit card approval. The wireless data is in the air and leaks out beyond the store’s walls. TJX used an encryption code that was developed just as retailers began going wireless. Wired Equivalent Privacy or WEP is a wireless encryption code developed in 1999 that retailers began to implement. Within a couple of years hackers broke the encryption code and rendered WEP obsolete. Many retailers never changed to updated encryption codes such as WPA or WPA2. TJX never upgraded and once hackers got access, they were able to sniff out transmissions and see where they were going and view information logged into a central server. Of the seven Basel II detailed loss event types, this event would be considered a level 3 category external fraud.
Part II: Risk Factors
The risk factors that contributed to this event are: Using obsolete encryption technology, prolonged detailed customer/credit information storage, and wireless IT system/signals that link directly to customer database. These factors would be classified within the technology and information elements in Alter’s work system framework.
Using the WEP data encryption technology affects the probability of a risk event. WEP has already been decoded and deemed obsolete. TJX wasn’t specifically targeted, but became an opportunity. Hackers drove around retailers’ parking lots searching for WEP wireless signals.