Please answer ASAP!!!!

TJX Credit Card Breach

Imagine being the chief information officer (CIO) of one of the largest department store chains in the United States. Now imagine your CEO publicly announces that the company has just become the victim of the largest known theft of credit card data in history. This is a nightmare situation for any IT security professional, and this is what happened to The TJX Companies.

The TJX Companies, Incorporated is a large off-price retailer of apparel and home fashion. The company operates under several brands, including T.J. Maxx and Marshalls. On January 17, 2007, TJX announced it had become a victim of an intrusion into portions of its information systems that process and store customer transaction data.

An unauthorized intruder first accessed systems in July 2005, and unauthorized access continued through mid-January 2007. On December 18, 2006, TJX discovered suspicious software on its systems and immediately initiated an investigation along with leading computer security firms. Within a few days, TJX had notified law enforcement officials and met with the U.S. Department of Justice and the U.S. Secret Service to brief them on the discovery. Shortly thereafter, TJX notified contracting banks and payment card processing companies. Before the public announcement of the incident, the company had notified the U.S. Federal Trade Commission (FTC), the U.S. Securities and Exchange Commission (SEC), and the Canadian authorities.

At the time, this had evolved into the biggest credit card breach in history. Conservative estimates initially put the number at over 45 million credit and debit cards breached, as well as the personal information of hundreds of thousands of customers, including Social Security numbers and drivers license numbers.

Although the exact details of the breach arent clear, what is known is that the breach initially occurred as a result of the attackers targeting the wireless network of one of TJXs retail stores. The wireless network used Wired Equivalent Privacy (WEP) as an encryption method, which even at the time had been proven inadequate. The alternative was Wi-Fi Protected Access (WPA), which was introduced to replace WEP. Once the attackers penetrated this weak link, they eavesdropped on usernames and passwords used to log on to TJXs main systems in Framingham, Massachusetts. Eventually, the attackers created their own accounts on the main system and collected sensitive data.

In the aftermath, TJX has become the poster child for credit card breaches. The incident has also generated a lot of conversation and debate around adequate security controls for confidential personal information. Much of the blame for this incident was placed on the poorly secured wireless networks, but what type of defense in depth or compensating controls existed? The FTC charged TJX with failure to maintain proper security controls, specifically citing the lack of firewalls, wireless security, failure to patch vulnerabilities, and failure to update antivirus signatures.

The following are highlights of the fallout resulting from the breach. TJX:

The company agreed to pay $9.75 million to settle state investigations.

The company settled with the FTC. As a result, TJX had to create a comprehensive security program to protect the confidentiality of personal information it collects. In addition, TJX must submit to a third-party audit of the program every two years for the next two decades.

The company settled lawsuits brought by consumers and banker groups. Customers were provided with a special, three-day sale and vouchers as a result of the settlement of class-action lawsuits.

The company settled with Visa and MasterCard for almost $41 million.

The company was required to implement a data-security program to ensure that this type of incident could never happen again.

The company offered three years of credit monitoring to about 450,000 people who needed to provide their drivers licenses for transactions that occurred in the stores.

Unlike the collapse of Enron and WorldCom, TJX did not break any laws. It was simply not compliant with stated payment card processing guidelines. Court documents filed by the banks that sued TJX indicated that TJX did not comply with 9 of the 12 broad provisions within the standard established for the payment card industry. Although the breach has been costly for TJX, it is a multibillion-dollar retailer that has survived and made appropriate adjustments. Smaller organizations, however, might not have survived.

Although it costs money to implement proper controls and procedures for compliance, noncompliance and security breaches have their own costs.

The following are some questions to answer:

- Do you feel that TJX properly handled the incident upon discovery of the breach? IF YES discuss with a minimum of three-point why, IF NO discuss with a minimum of three-point why

- Had TJX collected and retained unnecessary personal data? IF YES discuss with a minimum of three-point why, IF NO discuss with a minimum of three-point why

- Did TJX understand where customer data resided, how it was transmitted, and whether it was encrypted? IF YES discuss with a minimum of two-point why, IF NO discuss with a minimum of two-point why

- Were weaknesses and vulnerabilities within TJX discovered and documented through internal security assessments?

- Calculate the SLE (Show your work)