tjx
DESCRIPTION
TJX case studyTRANSCRIPT
P a g e | 1
1.0 INTRODUCTION
Founded in 1976, TJX was one of the massive retailers’ in the fashion industry and ranked 138th
amongst the Fortune 500 Companies. Its growing revenue marked US$17.4 billion in the year
2006. Its business comprised of 8 Independent companies which were operated in the off-price
section in United States, Canada and Europe by TJX; selling branded clothes and home fashions
at relatively lower prices for instance between 20-70% lower than those other departmental or
specialty stores. Thus they kept their primary focus on the “low cost” policy which in-turn proved
significant for them to make the most out of the unsteadiness in customer demands and mistakes
committed by the designers and high price retail showrooms. Thus, they were able to possess an
extraordinary place amongst customers and in the retail industry.
This case study depicts that for maintaining low prices, attaining operational effectiveness, and
staying on par with the competitors, IT had played a crucial role in TJX’s low-cost approach.
IT networks and systems assisted them for swift data transmission and therefore better
communication that was required amongst its customers, vendors, buyers, merchandisers, store
associates and financial institutions for instance banks and other payment gateways. The kiosks
and barcode scanners that operated within its stores helped in acceleration of the company
operations and augmenting the required customer service.
The Customer Relationship Management systems were used for categorizing and aiming at
beneficial customers. But because of the failure in maintaining IT standards and relative human
errors, TJX faced a security breach in the year 2005-2006; the reasons behind which are analyzed
below.
P a g e | 2
2.0 A BRIEF OVERVIEW
On December 18, 2006 TJX faced a breach of security and a subsequent unauthorized intrusion
on their computer networks and systems which were incorporated to manage its vast network of
operations relevant for administering the data and communication.
TJX had been using two main storage systems explicitly the Framingham and Watford system.
The Watford systems was used by T.J.Maxx in UK and Ireland for processing of monetary
transactions and their storage onto the system whereas the former acted similarly on information
relevant to debit and credit card transactions of customers from all the other locations of TJX.
This storage included ID and Driver’s license numbers for instance SSN together with names and
addresses of consumers returning their goods.
The investigations illustrated that systems targeted for intrusion were marked in Framingham
system. Immediate initiation of security investigation was done by TJX and General Dynamics
Corporation and IBM were additionally hired. It got confirmed from their subsequent enquiries
that group of hackers from East Europe were responsible for stealing the TJX’s sensitive
financial business data. This group’s forte was congregating stolen credit card data which they
further forwarded to their fellow group based in Florida. They utilized this information in
developing dummy credit cards marked with fake logos along with acquired credits card numbers
encoded on their magnetic strips, which were subsequently sold or used for illegal shopping at
big-box stores and gas stations (Chandrasekhar, 2008).
TJX informed about this intrusion to law enforcement executives and monetary organizations
such as banks, credit/debit card companies along with other cheque-processing companies.
This information was kept secluded till February 21, 2007 by TJX, following the instructions of
US Secret Service.
TJX was hit hard as this breach led a negative impact on their customers primarily in U.S.,
Canada, U.K. and Puerto Rico. The company was unable to interpret the amount of data
contravened which clearly exposed its security systems and practices in front of all.
Consequently, a number of actions were filed against TJX which emphasized claims for clear
negligence and related laws along with judicial causes of action pertaining to intrusion.
P a g e | 3
TJX booked a cost of $168 million for data breach whereas $21 million was predicted as a
probable hit for 2008. Later, subject to court approvals, TJX got into a settlement agreement, in
regard to customer class actions.
3.0 FAILURE POINTS
There were various failure points including Technological, organizational and human errors
contributing towards overall failure of IT Security at TJX. The following issues highlight the
loopholes in the IT system of TJX:-
3.1 Violation of PCI standards
These are a strong security blueprint for retailers asking the approved auditors for
performing annual onsite audits and quarterly network scans depending on the Level’s
categorized in accordance to credit card transactions made. Level-1 companies had an
onsite audit while Level 2 and 3 companies were supposed to submit a self evaluated
annual report/questionnaire. TJX had passed this checkup but was in violation of these
standards as it had preserved the unencrypted data.
3.2 Irregularity in audits
TJX neither followed a regular pattern of network auditing nor did it maintain frequent
internal/external system security checks. This could have been a possible reason for non-
detection of the ongoing breach for almost 18 months.
Moreover, around nine out of the dozen perquisites in the annual self-evaluation report of
TJX for PCIDSS compliance were at fault, including its encryption techniques, firewalls
used and access controls, thereby putting forward the hidden truth. Also, there was
absence of network and logs monitoring and presence of un-encrypted customer data
which the auditors never noticed.
P a g e | 4
3.3 Insufficient network security
The wireless networks inside the stores of TJX were utilizing WEP (Wireless Equivalent
Privacy) security protocols. These were not in par with the requirement of stronger and
stricter protocols as specified by the industry standards.
The hackers simply used telescope-shaped antennas and decoded data streaming
amid hand-held price-checking devices, cash registers and the store’s computers. They
also captured the IP addresses, other data which was then employed to crack the
encryption code. This enabled them to gain access to the main database at the Marshall’s
store.
3.4 Data encryption during transmission
Practices followed by TJX in the Framingham system included transmission of un-
encrypted data to its customers using Credit/debit cards until the period of consent, which
was simple to intercept.
The hackers recognized this window of time for capturing the data in which the credit
card numbers are decrypted for less than a second. The encryption algorithm used by TJX
was very fragile and its decryption was painless. Additionally, in a public statement,
authorities at TJX had accepted that the highly sensitive decryption tool for software
encryption was actually tracked and utilized by the hackers.
3.5 Insufficient in-store security of assets & firewalls incorporated
As said by the Information week, the hackers were able to exploit in-store kiosks of the
stores by simply using a USB drive and loading their beneficiary software’s through it on
to terminals of Kiosks which then behaved as the remote terminals that were linked to the
backend networks of TJX. Such an easy access available; points towards the loopholes in
the security systems of TJX, especially the basic monitoring required of these significant
in store IT resources. Additionally, it drives attention towards the inapt firewalls that were
useless as they couldn’t safeguard against advancing traffic from the kiosks.
P a g e | 5
3.6 Improper processing of logs
TJX was not preserving any processing logs on its IT systems pertaining to customer
transactions which was a “must have” operation as these logs presented information about
the files present on the systems and the changes carried out regarding their additions,
deletions, etc.
3.7 Eavesdropping by Hackers
The hackers used to digitally eavesdrop on employees when they logged on to TJX’s
central database. Hence, they could effortlessly access TJX systems from any external
computer/device through internet.
4.0 RECOMMENDATIONS FOR IMPROVED IT SECURITY
The IT security systems at TJX need to be strengthened and properly supported. The devised
arrangements should take the entire security breach into consideration and incorporate
methods/amendments to secure these loopholes.
4.1 The first step must focus on upgrading the network security protocol within all the
stores of TJX. This lays the foundation for secure data transactions.
4.2 TJX should employ a strong encryption technique/standard for information storage
and transmission. It must work in accordance with the PCI standards and therefore
should not store any un-required data of the customers.
4.3 For all the store transactions; proper logs should be maintained and their
authentication must be carried out before saving.
4.4 Physical assets like the kiosks should be properly secured under security cameras and
firewalls so that they donot get tampered again.
4.5 Proper network security scans and audits should be carried out of its database on
regular intervals.
P a g e | 6
4.6 Appropriate training should be given throughout the organization regarding the
security violations and proper measures should be taken to monitor these to avoid any
internal/external leakage of credentials.
4.7 TJX must constrain this organizational approach to achieve its goals of secured IT
framework.
4.8 Hence, its short term goal should be to eradicate all the IT security issues and in the
long term it should emphasize on re-gaining the confidence of its customers by
maintaining properly firewalled IT Systems.