Tjx System Breach Case Study
TJMaxx System Breach
Cormalita Uzzell
319/CIS
May 6, 2013
Christopher Canter
In January 2007, TJX Companies, Inc. issued a press release announcing that its computer systems had been breached and customer information had been stolen. Reports estimated at least 94 million Visa and MasterCard accounts had been compromised, with losses projected at $4.5 billion. What happened to cause the companies breach? What did the company do to insure that this would not happen again? Perhaps the company simply thought the current system was flawless.
Every company would like to have the top notch system that could not be hacked, but that is not feasible. For every new system there is a hacker waiting to try to get lucky and steal some information. This was not the case for TJX. Investigation into the case indicated that the company was not in compliance with the Payment Card Industry (PCI) …show more content…
data security standards established in 2004 by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International (Berg, Freeman, & Schneider 2008). There were three areas of vulnerability: inadequate wireless network security, improper storage of customer data, and failure to encrypt customer account data. The store where the first breach occurred was using a wireless network that was not properly secured. The network in use was wired equivalent privacy or WEP. The problem with this security was that it was easy to break into. Studies have shown that it can be accessed in one minute. Once the network had been broken the hackers breached security at the corporate headquarters and attained the customer account information. According to the Wall Street Journal the invaders had been undetected for 18 months. The intruders are Albert Gonzalez (ring leader), Jonathan James and Damon Patrick, accomplices. Toey Aleksandr Suvorov was the programmer and Maksym Yastremskiy role was the fence (Wolfgang 2009).
This is how the hackers infiltrated TJX companies. In July, 2005 Gonzales and his crew identify a weakness in TJX while sensitive internal Wi-Fi LAN is running WEP. Gonzales compromises the networks, install backdoors and begin probing for sensitive data. In August, 2005 TJX databases are compromised. Point of sales and credit processing transactions Gonzales has access to credit card, debit card, check, and merchandise return transactions. Maksym Yastremskiy begins trading stolen credit cards from TJX and Hartford.
The company was storing customer information with card validator code number and personal identification numbers which were in noncompliance of the PCI data security standard.
It was possible that the company was using older point of sale software that could not reconfigure to comply with the PCI standards. Another problem mention by The CPA Journal is the failure of TJX to properly encrypt customer data or the hackers stole the encryption key. Nonetheless, the bottom line was the company did not maintain industry standards.
According to the Illinois Attorney General, TJX agreed to install a comprehensive information security program that assesses internal and external risks to consumers ' personal information. The company also will regularly monitor and test the program 's effectiveness and report the results to the Attorneys General. Under the agreement with Madigan 's office and the other Attorneys General, TJX will: * Upgrade all Wired Equivalency Privacy ("WEP ') based wireless systems in TJX retail stores to wired systems or Wi-Fi Protected Access ("WPA") wired
systems; * Store credit card or debit card data on its network for only as long as necessary for legitimate business purposes; * Install firewalls and access controls to isolate the portion of the company 's computer network that stores, processes or transmits personal information; and * Implement proper security password management for the portions of the TJX computer system that store, process or transmit personal information.
TJX also agreed to pay the states $9.75 million, of which Illinois will receive more than $440,000 for work programs to enforce the consumer protection laws and for programs to protect consumer data and provide consumer education. An estimated $2.5 million of the overall settlement will fund a Data Security Trust Fund to be used by the Attorneys General to advance enforcement efforts and policy development in the field of data security and personal information protection (Illinois Attorney General). Based on the evidence and numerous reports TJX could have avoided a lot of problems if time was taken to upgrade system to the proper wireless network security. It does not pay to be cheap on necessary equipment in a billion dollar company.
References Berg, Gary G., Freeman, Michelle S., & Schneider, Kent N. (2008, August). Analyzing the TJ Maxx Data Security Fiasco. The CPA Journal. Retrieved from http:// www.nysscpa.org Goerlich, J. Wolfgang. (2009, Sept. 2). TJMaxx Security Incident timeline. Retrieved http:// www.jwgoerlich.us/... Illinois Attorney General. June 23, 2009. TJX Agreement. Retrieved from http://www.illinoisattorneygeneral.gov
Cormalita Uzzell
319/CIS
May 6, 2013
Christopher Canter
In January 2007, TJX Companies, Inc. issued a press release announcing that its computer systems had been breached and customer information had been stolen. Reports estimated at least 94 million Visa and MasterCard accounts had been compromised, with losses projected at $4.5 billion. What happened to cause the companies breach? What did the company do to insure that this would not happen again? Perhaps the company simply thought the current system was flawless.
Every company would like to have the top notch system that could not be hacked, but that is not feasible. For every new system there is a hacker waiting to try to get lucky and steal some information. This was not the case for TJX. Investigation into the case indicated that the company was not in compliance with the Payment Card Industry (PCI) …show more content…
data security standards established in 2004 by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International (Berg, Freeman, & Schneider 2008). There were three areas of vulnerability: inadequate wireless network security, improper storage of customer data, and failure to encrypt customer account data. The store where the first breach occurred was using a wireless network that was not properly secured. The network in use was wired equivalent privacy or WEP. The problem with this security was that it was easy to break into. Studies have shown that it can be accessed in one minute. Once the network had been broken the hackers breached security at the corporate headquarters and attained the customer account information. According to the Wall Street Journal the invaders had been undetected for 18 months. The intruders are Albert Gonzalez (ring leader), Jonathan James and Damon Patrick, accomplices. Toey Aleksandr Suvorov was the programmer and Maksym Yastremskiy role was the fence (Wolfgang 2009).
This is how the hackers infiltrated TJX companies. In July, 2005 Gonzales and his crew identify a weakness in TJX while sensitive internal Wi-Fi LAN is running WEP. Gonzales compromises the networks, install backdoors and begin probing for sensitive data. In August, 2005 TJX databases are compromised. Point of sales and credit processing transactions Gonzales has access to credit card, debit card, check, and merchandise return transactions. Maksym Yastremskiy begins trading stolen credit cards from TJX and Hartford.
The company was storing customer information with card validator code number and personal identification numbers which were in noncompliance of the PCI data security standard.
It was possible that the company was using older point of sale software that could not reconfigure to comply with the PCI standards. Another problem mention by The CPA Journal is the failure of TJX to properly encrypt customer data or the hackers stole the encryption key. Nonetheless, the bottom line was the company did not maintain industry standards.
According to the Illinois Attorney General, TJX agreed to install a comprehensive information security program that assesses internal and external risks to consumers ' personal information. The company also will regularly monitor and test the program 's effectiveness and report the results to the Attorneys General. Under the agreement with Madigan 's office and the other Attorneys General, TJX will: * Upgrade all Wired Equivalency Privacy ("WEP ') based wireless systems in TJX retail stores to wired systems or Wi-Fi Protected Access ("WPA") wired
systems; * Store credit card or debit card data on its network for only as long as necessary for legitimate business purposes; * Install firewalls and access controls to isolate the portion of the company 's computer network that stores, processes or transmits personal information; and * Implement proper security password management for the portions of the TJX computer system that store, process or transmit personal information.
TJX also agreed to pay the states $9.75 million, of which Illinois will receive more than $440,000 for work programs to enforce the consumer protection laws and for programs to protect consumer data and provide consumer education. An estimated $2.5 million of the overall settlement will fund a Data Security Trust Fund to be used by the Attorneys General to advance enforcement efforts and policy development in the field of data security and personal information protection (Illinois Attorney General). Based on the evidence and numerous reports TJX could have avoided a lot of problems if time was taken to upgrade system to the proper wireless network security. It does not pay to be cheap on necessary equipment in a billion dollar company.
References Berg, Gary G., Freeman, Michelle S., & Schneider, Kent N. (2008, August). Analyzing the TJ Maxx Data Security Fiasco. The CPA Journal. Retrieved from http:// www.nysscpa.org Goerlich, J. Wolfgang. (2009, Sept. 2). TJMaxx Security Incident timeline. Retrieved http:// www.jwgoerlich.us/... Illinois Attorney General. June 23, 2009. TJX Agreement. Retrieved from http://www.illinoisattorneygeneral.gov