Case Study TJX Credit Card Breach Imagine being the chief information officer (CIO) of one of the largest department store chains in the United States Now imagine your CEO publicly announces that the company has just become the victim of the largest known theft of credit card data in history This is a nightmare situation for any IT security professional, and this is what happened to the TJX Companies The TJX Companies, Incorporated is a large off price retailer of apparel and home fashion The company operates under several brands, including T J Maxx and Marshalls On January 17, 2007, TJX announced it had become a victim of an intrusion into portions of its information systems that process and store customer transaction data An unauthorized intruder first accessed systems in July 2005, an unauthorized access continued through mid January 2007 On December 18, 2006, TJX discovered suspicious software on its systems and immediately initiated an investigation along with leading computer security firms Within few days, TJX has notified law enforcement officials and met with the U S Department of Justice and the U S Secret Service to brief them on the discovery Shortly thereafter, TJX notified contracting banks and payment card processing companies Before the public announcement of the incident, the company has notified the U S Federal Trade Commission (FTC), the U S Securities and Exchange Commission (SEC), and the Canadian authorities At the time, this had evolved into the biggest credit card breach in history Conservative estimates initially put the number at over 45 million credit and debit cards breached, as well as the personal information of hundreds of thousands of customers including Social Security numbers and drivers license numbers Although the exact details of the breach are not clear, what is known is that the breach initially occurred as a result of the attackers targeting the wireless network of one of TJXs retails stores The wireless network used Wired Equivalent Privacy (WEP) as an encryption method, which even at the time has been proven inadequate The alternative was Wi Fi Protected Access (WPA), which was introduced to replace WEP Once the attacker penetrated this weak link, the eavesdropped on usernames and passwords used to log on to TJXs main systems in Framingham, Massachusetts Eventually, the attackers created their own accounts on the main system and collected sensitive data In the aftermath, TJX has become the poster child for credit card breaches The incident has also generated a lot of conversation and debate around adequate security controls for confidential personal information Much of the blame for this incident was placed on the poorly secured wireless networks, but what type of defense in depth or compensating controls existed The FTC charged TJX with failure to maintain proper security controls, specifically citing the lack of firewalls, wireless security, failure to patch vulnerabilities, and failure to update antivirus signatures The following are the highlights of the fallout resulting from the breach TJX the company agreed to pay $9 75 million to settle state investigations The company settled with the FTC As a result, TJX has to create a comprehensive security program to protect the confidentiality of personal information it collects In addition, TJX must submit to a third party audit of the program every two years for the next two decades The company settled lawsuits brought by consumers and banker groups Customers were provided with a special, three day sale and vouchers as a result of the settlement of class action lawsuits The company settled with Visa and MasterCard for almost $41 million The company was required to implement a data security program to ensure that this type of incident could never happen again The company offered three years of credit monitoring to about 450 000 people who needed to provide their drivers licenses for transactions that occurred in the stores The company set aside $250 million for breach related costs Many analyst believe this number could ultimately be much higher TJX did not break any laws It was simply not compliant with stated payment card processing guidelines Court documents filed by the banks that sued TJX indicated that TJX did not comply with 9 of the 12 broad provisions within the standard established for the payment card industry Although the breach has been costly for TJX, it is a multibillion dollar retailer that has survived and made appropriate adjustments Smaller organizations, however might not survived Although it costs money to implement proper controls and procedures for compliance, noncompliance and security breaches have their own costs You learned that fines can be levied for noncompliance but what about the costs of a breach Forrester Research puts the cost per record breached at anywhere between $90 and $305, depending on the type of breach and how regulated the industry within which the breach occurs is Consider the following categories from where costs can occur following breach Discovery, notification, and response legal counsel mailings, call center support, discounted product offers Lost productivity employees attention diverted or put on other tasks requiring attention Opportunity cost loss of customers and attaining new customers Regulatory fines FTC, PCI, Sarbanes Oxley Restitution Money set aside for payment Additional security and audit requirements those levied as a result of a breach Other liabilities Answer the Questions for the Case Study Consider the reasons why TJX might have had the weaker WEP encryption configured Was this internal standard What could be the reason List the possible reasons Do you feel that TJX properly handled the incident upon discovery of the breach Consider how incident response procedures are important to the IT Security Program Had TJX collected and retained unnecessary personal data What are the risks of holding onto data Did TJX understand where customer data resided, how it was transmitted, and whether it was encrypted If the data was encrypted, could the breach have been possible Were weaknesses and vulnerabilities within TJX discovered and documented through internal security assessments

The Answer is in the image, click to view ...

Answered step by step

Verified Expert Solution

Link Copied!

Question

1 Approved Answer

Posted on Sep 11, 2024

Case Study: TJX Credit Card Breach Imagine being the chief information officer (CIO) of one of the largest department store chains in the United States.

Case Study: TJX Credit Card Breach

Imagine being the chief information officer (CIO) of one of the largest department store chains in the United States. Now imagine your CEO publicly announces that the company has just become the victim of the largest known theft of credit card data in history. This is a nightmare situation for any IT security professional, and this is what happened to the TJX Companies.

The TJX Companies, Incorporated is a large off-price retailer of apparel and home fashion. The company operates under several brands, including T.J Maxx and Marshalls. On January 17, 2007, TJX announced it had become a victim of an intrusion into portions of its information systems that process and store customer transaction data.

An unauthorized intruder first accessed systems in July 2005, an unauthorized access continued through mid-January 2007. On December 18, 2006, TJX discovered suspicious software on its systems and immediately initiated an investigation along with leading computer security firms. Within few days, TJX has notified law enforcement officials and met with the U.S. Department of Justice and the U.S. Secret Service to brief them on the discovery. Shortly thereafter, TJX notified contracting banks and payment card processing companies. Before the public announcement of the incident, the company has notified the U.S. Federal Trade Commission (FTC), the U.S. Securities and Exchange Commission (SEC), and the Canadian authorities.

At the time, this had evolved into the biggest credit card breach in history. Conservative estimates initially put the number at over 45 million credit and debit cards breached, as well as the personal information of hundreds of thousands of customers including Social Security numbers and drivers license numbers.

Although the exact details of the breach are not clear, what is known is that the breach initially occurred as a result of the attackers targeting the wireless network of one of TJXs retails stores. The wireless network used Wired Equivalent Privacy (WEP) as an encryption method, which even at the time has been proven inadequate. The alternative was Wi-Fi Protected Access (WPA), which was introduced to replace WEP. Once the attacker penetrated this weak link, the eavesdropped on usernames and passwords used to log on to TJXs main systems in Framingham, Massachusetts. Eventually, the attackers created their own accounts on the main system and collected sensitive data.

In the aftermath, TJX has become the poster child for credit card breaches. The incident has also generated a lot of conversation and debate around adequate security controls for confidential personal information. Much of the blame for this incident was placed on the poorly secured wireless networks, but what type of defense in depth or compensating controls existed? The FTC charged TJX with failure to maintain proper security controls, specifically citing the lack of firewalls, wireless security, failure to patch vulnerabilities, and failure to update antivirus signatures.

The following are the highlights of the fallout resulting from the breach. TJX:

the company agreed to pay $9.75 million to settle state investigations.
The company settled with the FTC. As a result, TJX has to create a comprehensive security program to protect the confidentiality of personal information it collects. In addition, TJX must submit to a third-party audit of the program every two years for the next two decades.
The company settled lawsuits brought by consumers and banker groups. Customers were provided with a special, three-day sale and vouchers as a result of the settlement of class-action lawsuits.
The company settled with Visa and MasterCard for almost $41 million.
The company was required to implement a data-security program to ensure that this type of incident could never happen again.
The company offered three years of credit monitoring to about 450 000 people who needed to provide their drivers licenses for transactions that occurred in the stores.
The company set aside $250 million for breach-related costs. Many analyst believe this number could ultimately be much higher.

TJX did not break any laws. It was simply not compliant with stated payment card processing guidelines. Court documents filed by the banks that sued TJX indicated that TJX did not comply with 9 of the 12 broad provisions within the standard established for the payment card industry. Although the breach has been costly for TJX, it is a multibillion dollar retailer that has survived and made appropriate adjustments. Smaller organizations, however might not survived.

Although it costs money to implement proper controls and procedures for compliance, noncompliance and security breaches have their own costs. You learned that fines can be levied for noncompliance but what about the costs of a breach? Forrester Research puts the cost per record breached at anywhere between $90 and $305, depending on the type of breach and how regulated the industry within which the breach occurs is. Consider the following categories from where costs can occur following breach:

Discovery, notification, and response legal counsel mailings, call center support, discounted product offers
Lost productivity employees attention diverted or put on other tasks requiring attention
Opportunity cost loss of customers and attaining new customers
Regulatory fines FTC, PCI, Sarbanes-Oxley
Restitution Money set aside for payment
Additional security and audit requirements those levied as a result of a breach
Other liabilities

Answer the Questions for the Case Study.

Consider the reasons why TJX might have had the weaker WEP encryption configured. Was this internal standard? What could be the reason? List the possible reasons.
Do you feel that TJX properly handled the incident upon discovery of the breach? Consider how incident response procedures are important to the IT Security Program.
Had TJX collected and retained unnecessary personal data? What are the risks of holding onto data?
Did TJX understand where customer data resided, how it was transmitted, and whether it was encrypted?
If the data was encrypted, could the breach have been possible?
Were weaknesses and vulnerabilities within TJX discovered and documented through internal security assessments?