Tjx Security Breach

Only available on StudyMode
  • Download(s) : 691
  • Published : February 23, 2011
Open Document
Text Preview
Case Name: Security at TJX

Problem Statement

How should the new CIO of TJX work to strengthen security around the IT infrastructure to prevent, detect, and analyze security breaches that had previously allowed hackers to steal sensitive data?


1 Describe the company/department

1 History

1 Founded in 1976

2 Operate 8 business under TJX

1 TJ Maxx

2 Marshalls

3 HomeGoods

4 A.J Wright

5 Bob’s Stores

6 Winners

7 Home Sense

8 TK Maxx

3 2400 stores

4 125,000 employees

2 Conditions

1 2006 – 138th on Fortune 500

2 Largest apparel and home fashions retailer in off-price segment

3 $17.4 billion in sales for fiscal year 2006

3 Culture

1 Built on efficiencies, vendor relationships rather than fashion

4 Strengths

1 More than triple the size of closest competitor, Ross Stores, Inc

2 Ability to operate in a low-margin industry and stay profitable

5 Weaknesses

1 IT systems were not up to standards

2 Describe the industry situation

1 Customers

1 Traditional retail shoppers looking for a bargain

2 Span North America and Europe

2 Traditional Competitors

1 Direct

1 Ross

2 Target

3 Kohls

2 Indirect

1 Department Stores (JCPenny, Macy’s, etc)

2 Deep discount stores (Garden Ridge, BigLots)

3 New market entrants

1 Online marketplace





4 Opportunities

5 Threats

Key Issues

1 Issue #1: TJX has a subpar security system with multiple failure points

2 Issue #2: TJX will be held financially accountable for distress they have caused the clients and will need to need to set forth a plan to minimize damage to the reputation of their brand(s)

Relevant Areas, Facts, Conclusions

1 Relevant areas for Issue #1

1 Lack of detection systems, electronic or manual

1 When TJX first noticed the issue in Dec of 2006, intrusions had been occurring for at least 16 months, starting in July of 2005

2 Hackers had been leaving messages to each other on the TJX system without detection

3 Per the suggestion of InformationWeek hackers accessed data by breaking into in-store kiosks to insert USBs with utility programs which were not noticed by store employees

4 Auditors failed to report major issues

5 Conclusion: There was a total system failure in which it took over a year to detect any security breaches. From IT developers, store workers, to the vendor systems used by TJX, both people and machines were not properly educated or supported on security matters

2 Unsecure transfers of data littered the system

1 Data transferred to payment card issuers was done without encryption

2 PIN numbers and cheque transactions on the Framington system were not guaranteed to be masked or encrypted until April 3, 2006 – 9 months into the intrusions

3 The Watford system rolled out masking and encryption at “various points in time”

4 Conclusion: Unsecure data transfers provided a backdoor for hackers to access even the secured data on the system

3 Poor choice of wireless security

1 TJX was using WEP, which can be very easily cracked with some basic internet research

2 Conclusion: As such a large organization, WEP was a poor management choice in wireless security. The average IS college student can break through WEP keys

4 Inadequate logging of data access, updates

1 Once the intrusion was detected, TJX did not have adequate detail to know what data was accessed, by when, or by who

2 TJX estimated 46 million, but it was likely closer to 94 million

3 Conclusion: This was the straw that broke the camel’s back. After the intrusions were detected, TJX could not be confident that sensitive data was or was not accessed. This accounts for their gross underestimation of the number of customers affected.

2 Relevant areas for Issue #2

1 Poor RIM strategy led to increased number of customers affected

1 TJX had...
tracking img