Preview

TJX the largest-ever consumer data breach

Better Essays
Open Document
Open Document
1054 Words
Grammar
Grammar
Plagiarism
Plagiarism
Writing
Writing
Score
Score
TJX the largest-ever consumer data breach
TJX- SECURITY BREACH MGSC 6201-02
INDUSTRY/COMPANY CONTEXT:
TJX Companies, based in Framingham, MA, was a major participant in the discount fashion and retail industry. The TJX brand had presence in the United States as well as in Canada and Europe. In mid-2005, investigators were made aware of serious security breaches experienced in TJX’s credit card system. These breaches were first found at a Marshall’s located in St Paul, MN in which the hackers implemented a “war driving” tactic to steal customer credit card information. This incident resulted in over 46 million debt and credit card numbers being compromised and is considered to be the largest security breach in US history. The security breach at TJX resulted in major members of the credit card association to establish the Payment Credit Industry Data Security Standard (PCI DSS) in order to better regulate security needs for merchants’ company credit card systems.
Further investigation revealed that these breaches at TJX could be traced back to 2003. Some key factors driving this situation included the following:
TJX’s lack of cybersecurity sophistication (i.e. use of WEP, severs always in administrator mode, etc.)
Overall lack of awareness by the consumer in terms of steps taken to mitigate breach risks
Unpredictable and inconsistent standards set by PCI DSS
CASE FACTS AND ANALYSIS
The key challenges TJX faced was implementing cybersecurity into their overall business model and emphasizing its importance on a corporate level. This required management and IT to align their security strategies (under the rules and regulations of PCI DSS) and take a “business back” approach, putting the focus on important business asset. More specifically, various issues involving both TJX and the other players in the credit card payment network include:
TECHNOLOGICAL UPGRADES/SOPHISTICATION: TJX found themselves using the Wired Equivalent Privacy (WEP) security protocol for protection, whereas newer and more



References: Walker, Russell. “Maxxed Out: TJX Companies and the Largest-Ever Consumer Data Breach.” Kellogg Case Publishing, 2013. Kaplan, James, Sharma, Shantnu, and Weinberg, Allen. “Meeting the cybersecurity challenge.” McKinsey Quarterly, 2011.

You May Also Find These Documents Helpful

  • Good Essays

    Technology has rapidly advanced, affecting standards on privacy, telecommunications, and criminal law. Every day, we encounter unexpected consequences of data flows that could not have happened a few years ago.…

    • 786 Words
    • 4 Pages
    Good Essays
  • Good Essays

    It 205 Week 3 Assignment

    • 667 Words
    • 2 Pages

    The TJX was still using the old wired equivalent Privacy (WEP) encryption system, which is relatively easy for hackers to crack. An auditor also later found the company had neglected to install firewalls and data encryption, on many of the computers using the wireless network,…

    • 667 Words
    • 2 Pages
    Good Essays
  • Powerful Essays

    INF 325 Week 1: A Case Study

    • 2472 Words
    • 10 Pages

    Internet and network security are a primary concern for many businesses. In today 's world, the number of hacks and leaks of data is continuing to rise, which is what makes security the primary concern. What may or may not be apparent is that many breaches of data tend to be caused by internal users ' errors that may not even have been meant to be malicious. Liaskos and Sandy quote a study by Roman which revealed…

    • 2472 Words
    • 10 Pages
    Powerful Essays
  • Satisfactory Essays

    Cp Case Study

    • 976 Words
    • 4 Pages

    | * ChoicePoint customers had their identity’s compromised and ultimately stolen * The compromise of their identity means that they criminals could use their names and info for other purposes * ChoicePoint was effected by the Class-action lawsuit as a result * Were being investigated by the U.S Senate…

    • 976 Words
    • 4 Pages
    Satisfactory Essays
  • Satisfactory Essays

    Unit 1 Assignment 2

    • 313 Words
    • 2 Pages

    By understanding what controls and strategies are already in place for this company to protect this data, the company can now move forward and decide on a desired result, develop a workable plan and monitor its process. I feel the key to this company’s problem with breach of sensitive online data is fire wall and encryption.…

    • 313 Words
    • 2 Pages
    Satisfactory Essays
  • Good Essays

    Tjx Security Breach

    • 1008 Words
    • 5 Pages

    1 When TJX first noticed the issue in Dec of 2006, intrusions had been occurring for at least 16 months,…

    • 1008 Words
    • 5 Pages
    Good Essays
  • Satisfactory Essays

    UNFO traditionally has been a brick-and-mortar retailer, and the management has experiences of associated business risks such as employee theft and shoplifting. However, as the organization moves into the e-commerce model, new risks will be introduced to the organization. As the information security analyst, it will be your role to summarize the business impact of these new risks, the motivating factors that one may have to exploit vulnerabilities, and how the risks can be mitigated.…

    • 258 Words
    • 1 Page
    Satisfactory Essays
  • Powerful Essays

    During, and leading up to, the recent data breach that occurred at Target, it is evident that many mistakes were made at the executive level. As any company, Target possesses a primary goal of balancing both effectiveness, and efficiency; however, the organization under CEO Greg Steinhafel did not achieve these goals simultaneously. Prior to the data breach experienced by Target, the company primarily focused on efficiency --- the act of determining and implementing the most cost effective method of utilization for products, resources, or personnel (Kinicki and Williams, 2016). This manner of management by the executives did meet the minimum requirements of cyber security set by government regulations; however, it was not not effective enough…

    • 1301 Words
    • 6 Pages
    Powerful Essays
  • Powerful Essays

    In conclusion, the major issues within the company is lack of communication according to how Flayton Electronics were affected throughout the process of the breach.…

    • 2421 Words
    • 10 Pages
    Powerful Essays
  • Better Essays

    The TJX Corporation, a major retailer with stores in the United States, Puerto Rico, and even the United Kingdom, experienced one of the largest security breaches. Millions of their customer’s credit and debit card information were stolen over a seventeen-month period. The TJX Corporation announced to the public on February 21, 2007 an unauthorized user had accessed their security system and the sensitive information stored in their system had been compromised. The span of unauthorized access went unnoticed from the first hacking in July of 2005. The usual encryptions, that protect vital information like credit card numbers and accounts, had been broken down by the hacker. The files, as far as 2002, that were accessed were vulnerable to theft. Furthermore, the intruder was not even detected until December of 2006. There was much controversy in the manner the information was made available to the public. The consumers’ whose account information was violated had to learn they were at risk of identity theft from the local news. The millions of T.J. Maxx, Marshalls, HomeGoods, and A.J. Wright costumers’ personal information had been infiltrated by a source that the TJX Corporation was unable to detect for seventeen months and also were unable to determine if the hacker had also interfered in the purchasing process. Aside from the 45.7 million customer information that was exposed to criminals, TJX also had to rebuild their creditability with their customers.…

    • 1046 Words
    • 5 Pages
    Better Essays
  • Powerful Essays

    Risks of a Dos Attack

    • 1541 Words
    • 7 Pages

    The security perspective of an e-commerce company varies based on its business model. iPremier follows a Business-to-consumer (B2C) model and the entire sales come directly through web sales i.e. online B2C transactions. Hence the IT security of iPremier should center on the protection of the customer information and needs. The Federal Reserve includes six types of risks a company could face because of an Information Technology (IT) breach, which are credit, market, liquidity, operational, legal, and reputational in nature (FFIEC, 2006). iPremier faces operational, reputational, legal and market risks in the current situation following the Denial of Service (DoS) attack.…

    • 1541 Words
    • 7 Pages
    Powerful Essays
  • Good Essays

    Tjx Companies

    • 791 Words
    • 4 Pages

    TJX companies needed quite a few enhancements into their security setup. The first change that could have been made was updating the Wi-Fi network security. Using the WPA encryption system should have been a priority upgrade considering the weak security alternatives. In addition to that encryption, a firewall could have been active on every computer. Most computers have firewalls for their internet browsing, but an additional firewall could protect an area of the company’s network, such as credit card information. Another important tool is updated anti-virus software. Anti-virus software only protects against known viruses so it important to keep the software updated. Credit card data should always be encrypted, especially when being sent to another party (on the off chance it is intercepted). Security systems should be tested frequently and checked for errors or flaws in the system.…

    • 791 Words
    • 4 Pages
    Good Essays
  • Good Essays

    pubpolessay

    • 632 Words
    • 2 Pages

    From afar, the data breach notification system may seem wholesome, however look a bit closer and you will find many insufficiencies made up of inconsistent state data breach laws that compose our nation’s standard defense against data breaches. The inconsistencies in state data breach laws cause insufficient protection of citizens, unnecessary complexities for businesses, and de-facto national requirements. Data breaches cause corporations millions of dollars and is one of the fastest growing crimes committed. For instance, California is witnessing identity theft as one of the fastest growing crimes committed. In 2000, the Los Angeles County Sheriff’s Department reported 1,932 identity theft cases, which was a 108 percent increase from the previous year. After a large amount of customer databases containing personal information were breached, security data breach notification laws were enacted by most American states since 2002. Specifically, the first security breach notification law introduced by California State Senator Peace on February 12, 2002 was law Senate Bill No. 1386 (“SB 1386”) in the state of California; it was passed unanimously by the California Senate and Assembly and it became effective July 1, 2003. Since most states follow California’s security breach laws and California is leading the nations effort in security data breach laws, I will be discussing California’s data laws in further detail, as this will focus in on issues regarding data laws in general. SB 1386 requires any company that stores its customer’s unencrypted date electronically to notify the customers if a security breach has taken place or if they have reason to believe that unencrypted date has been stolen. As defined by California’s law, personal information “includes any user name or email address, in combination with a password or security question and answer that would permit access to an online account [as well as medical…

    • 632 Words
    • 2 Pages
    Good Essays
  • Good Essays

    Data Breach Research Paper

    • 1510 Words
    • 7 Pages

    When data breaches occur, it can be extremely costly towards a company. They may be required to pay fees directly to consumers, or pay for technology that increases their security so a hack does not occur again. Either way, corporations should understand the cost that a hack of consumers’ information could cost them. Ponemon Institute researched this and found, “data breaches cost companies an average of $221 per compromised record – of which $145 pertains to indirect costs, which include abnormal turnover or churn of customers and $76 represents the direct costs incurred to resolve the data breach, such as investments in technologies or legal fees” (2016 Cost of). Corporations should invest more into security systems…

    • 1510 Words
    • 7 Pages
    Good Essays
  • Best Essays

    and software are stored on servers owned and maintained by a third party, is becoming…

    • 2426 Words
    • 10 Pages
    Best Essays