Data Security at TJX

In November 2005 Fidelity Homestead, a savings bank in Louisiana, began noticing suspicious charges from Mexico and southern California on its customers' credit cards. More than a year later, an audit revealed peculiarities in the credit card data in the computer systems of TJX Companies, an international retailer of apparel and home fashions.

TJX delayed announcement of the intrusion until January 2007, when it admitted that hackers had compromised nearly 46 million debit and credit card numbers, the largest-ever data breach in the United States.

In the summer of 2007 officials gained access to a suspect's hard drive in Turkey and identified the program on the drive as the same one used in the TJX intrusion. Messages between the suspect and his affiliates in the United States linked the crime to a well-known hacker whose username, "Soup Nazi," referenced a character from the American television show Seinfeld. The Secret Service knew the username well. Albert Gonzalez, had been arrested in 2004 as part of the Secret Service's Operation Firewall, a major investigation into a global network of credit card fraud.

Following TJX's announcement of the data loss, affected parties filed lawsuits in an attempt to recoup their costs. The question of liability was complicated because there were no laws defining who was liable when a retailer that was not in compliance with PCI DSS lost credit card data. "Under current law, financial institutions (FIs) that issue the debit or credit cards often ultimately wind up footing the bill for both fraud-related losses and costs of issuing new cards and/or accounts for their customers . . . . FIs have also been involved in lobbying efforts designed to statutorily shift fraud losses and associated costs away from FIs to the entities actually responsible for the data security breach. A legal fight is brewing in both the courts and legislatures over who will ultimately bear the losses of identity theft-related fraud.

Impact

In 2009 the average total cost to a merchant for a data breach was $6.75 million, or $204 per compromised record. At that rate the cost to TJX of 46 million compromised records would have exceeded $9 billion. Through the end of 2009 TJX reported expenses and reserves for probable losses of $171.5 million.

Lesson Learned? In May 2008 information about TJX's network security appeared on an Internet forum. A TJX employee revealed that blank passwords could be used on the company's servers and that the servers were always in administrator mode, "making it easy for hackersor store employeesto have escalated privileges on the system once they entered it."21 The employee alleged he brought the security problems to the attention of his store manager before he chose to blog about it.

Questions using above information:

1a. Utilize a method that approaches maturity based on multiple maturity areas, please identify the maturity level of TJ Maxx in the case study. What are the weakest and strongest developed maturity areas. Please add the details of your scoring areas in your response.

1b. What are steps that the organization can take to increase maturity of this company in the future? Why?

1c. Keeping in mind that the ethic and moral implications of working in the risk management and assessment field. If you were in charge of risk management, describe TWO potential ethical dilemmas you may experience, and how you can manage or prevent them.