TJX the largest-ever consumer data breach
TJX- SECURITY BREACH MGSC 6201-02
INDUSTRY/COMPANY CONTEXT:
TJX Companies, based in Framingham, MA, was a major participant in the discount fashion and retail industry. The TJX brand had presence in the United States as well as in Canada and Europe. In mid-2005, investigators were made aware of serious security breaches experienced in TJX’s credit card system. These breaches were first found at a Marshall’s located in St Paul, MN in which the hackers implemented a “war driving” tactic to steal customer credit card information. This incident resulted in over 46 million debt and credit card numbers being compromised and is considered to be the largest security breach in US history. The security breach at TJX resulted in major members of the credit card association to establish the Payment Credit Industry Data Security Standard (PCI DSS) in order to better regulate security needs for merchants’ company credit card systems.
Further investigation revealed that these breaches at TJX could be traced back to 2003. Some key factors driving this situation included the following:
TJX’s lack of cybersecurity sophistication (i.e. use of WEP, severs always in administrator mode, etc.)
Overall lack of awareness by the consumer in terms of steps taken to mitigate breach risks
Unpredictable and inconsistent standards set by PCI DSS
CASE FACTS AND ANALYSIS
The key challenges TJX faced was implementing cybersecurity into their overall business model and emphasizing its importance on a corporate level. This required management and IT to align their security strategies (under the rules and regulations of PCI DSS) and take a “business back” approach, putting the focus on important business asset. More specifically, various issues involving both TJX and the other players in the credit card payment network include:
TECHNOLOGICAL UPGRADES/SOPHISTICATION: TJX found themselves using the Wired Equivalent Privacy (WEP) security protocol for protection, whereas newer and more
INDUSTRY/COMPANY CONTEXT:
TJX Companies, based in Framingham, MA, was a major participant in the discount fashion and retail industry. The TJX brand had presence in the United States as well as in Canada and Europe. In mid-2005, investigators were made aware of serious security breaches experienced in TJX’s credit card system. These breaches were first found at a Marshall’s located in St Paul, MN in which the hackers implemented a “war driving” tactic to steal customer credit card information. This incident resulted in over 46 million debt and credit card numbers being compromised and is considered to be the largest security breach in US history. The security breach at TJX resulted in major members of the credit card association to establish the Payment Credit Industry Data Security Standard (PCI DSS) in order to better regulate security needs for merchants’ company credit card systems.
Further investigation revealed that these breaches at TJX could be traced back to 2003. Some key factors driving this situation included the following:
TJX’s lack of cybersecurity sophistication (i.e. use of WEP, severs always in administrator mode, etc.)
Overall lack of awareness by the consumer in terms of steps taken to mitigate breach risks
Unpredictable and inconsistent standards set by PCI DSS
CASE FACTS AND ANALYSIS
The key challenges TJX faced was implementing cybersecurity into their overall business model and emphasizing its importance on a corporate level. This required management and IT to align their security strategies (under the rules and regulations of PCI DSS) and take a “business back” approach, putting the focus on important business asset. More specifically, various issues involving both TJX and the other players in the credit card payment network include:
TECHNOLOGICAL UPGRADES/SOPHISTICATION: TJX found themselves using the Wired Equivalent Privacy (WEP) security protocol for protection, whereas newer and more
References: Walker, Russell. “Maxxed Out: TJX Companies and the Largest-Ever Consumer Data Breach.” Kellogg Case Publishing, 2013. Kaplan, James, Sharma, Shantnu, and Weinberg, Allen. “Meeting the cybersecurity challenge.” McKinsey Quarterly, 2011.