Scribd
Upload
491 views3 pages

The Worst Data Theft Ever, MIS Case

TJX, the leading off-price retailer of apparel and home fashions in the U.S., was a victim of the biggest data theft involving credit and debit cards information.

Uploaded by

nesjyn
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
491 views3 pages

The Worst Data Theft Ever, MIS Case

TJX, the leading off-price retailer of apparel and home fashions in the U.S., was a victim of the biggest data theft involving credit and debit cards information.

Uploaded by

nesjyn
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

THE WORST DATA THEFT EVER

MIS

CASE

STUDY

I.

CASE BACKGROUND
TJX, the leading off-price retailer of apparel and home fashions in the U.S., was a
victim of the biggest data theft involving credit and debit cards information. TJX
operates chains of department stores in the U.S. including T.J. Maxx, Marshalls, Home
Goods, A.J. Wright Stores, and Winners and Home Sense in Canada. It all started when
conspirators identified a vulnerable network at a Marshalls department store in Miami
and used it to install a sniffer program on the computers of the chains parent
company, TJX. Consequently, the hackers were able to access the central TJX database,
stealing 45 million credit and debit card numbers from its chain stores customer
transactions.

II.

ANSWERS TO CASE STUDY QUESTIONS


1. List and Describe the security control weaknesses at TJX Companies.
o They are still using the outdated Wired Equivalent Piracy (WEP) encryption
o

system which is relatively easy for hackers to crack.


TJX neglected to install firewalls and data encryption on many of its computers

using the wireless network.


TJX did not properly install another layer of security software that it had

purchased.
The companies transmitted credit card to banks without encryption, violating

credit card company guidelines.


TJX retained cardholder data in its systems much longer than stipulated by
industry rules for storing such data.

2. What management, organization, and technology factors contributed to


these weaknesses?
As to people, the hackers themselves are to be blamed because of their illegal and
unethical activities. But because of self-interest and drive for money, the conspirators
performed such cybercrime mindless of the catastrophe they can cause to TJX, the
credit card industry, and the victims of theft.
As to organization, TJX and card issuing facilities such as banks should have been
more responsible enough in protecting the confidentiality of the information entrusted
in them. TJX and the credit card companies were complacent of their existing security
system. TJX particularly did not follow industry protocols and credit card company
guidelines. Likewise, had banks were stricter in implementing and monitoring
compliance of companies credit card transactions and alerted clients for red flags, the
damage should have been less. Similarly, companies were so driven with short-term

profits that they were reluctant to invest significantly on foolproof security system and
ignore protocols to maximize their gains.
As to technology, there is no such thing as foolproof because overtime technology
needs to change and upgrade because in time culprits would eventually figure out how
to hack the system.
3. What was the business impact of TJX s data loss on TJX, Consumers and
banks?
TJXs data breach has rocked the retail and banking industry, and many estimate
that it will cost hundreds of millions or even billion-plus dollars in financial damage.
Because of the hugeness of the financial losses incurred by both TJX and the credit card
issuers, the incident would surely leave a valuable lesson to every business, may it be
big or small. Investing in systems security may cost significantly; but, the effects of
security breach may be way more costly. Companies must weigh the costs over
benefits of implementing security measures in ones business system.
4. How effectively did TJX deal with these problems?
In 2008 the TJX management decided to strengthen its Information system. Around
$300 million were spent by the banks to replace the stolen cards and recover losses. In
fiscal 2009, TJX paid $225 million for the settlement of the theft which was expected to
reach $1 billion in 5 years after implementing security upgrades, additional marketing
expenses, and consultancy fees. TJX contingency measures are on the right track;
however, whether or not they have regained back their customers trust is still
uncertain.
5. Who should be held liable for the losses caused by the use of fraudulent
credit cards in this case? TJX? The banks issuing the credit cards? The
consumers? Justify your answer.
First of all, the fiasco was the result of TJX management negligence and noncompliance with credit card guidelines and industry standards in data processing and
storage. But losses should not be solely shouldered by TJX. The credit card issuers or
banks should also take responsibility. They were also partly at fault. They should also
be more stringent with regard to approving credit card transactions. Banks should have
monitored and audited business transactions and immediately alerted clients for red
flags or suspicious transactions in order to minimize losses.

6. What solutions would you suggest to prevent the problems?


A company as huge as TJX must implement the following controls:
Software controls TJX must constantly upgrade their security systems in order to
prevent being vulnerable to internal and external threats.

Hardware controls TJX must also secure its hardware that maintains the system.
Perimeter security must include installation of routers and hardware upgrades.
Computer operations controls Since TJX is a huge retailer, comprising numerous
chains all over north America, it must also establish its own security operating center
for monitoring its systems (including LAN, WAN, Web and database) security.
Data security controls TJX must control data access intended for authorized
personnel only using high level encryption, passwords, lock keys, fingerprint or voice
recognition security protocols when necessary.
Implementation & Administrative controls Rigid training must be conducted for IT
people and employees who have direct access to the system in order to avoid internal
risk.
III.

RECOMMENDATION
The risk for security breach is conspicuous and should not be taken lightly.
Companies like TJX must do their part in protecting client information at all costs. It
must invest on system security upgrades and must follow protocols and guidelines
accordingly. The company should also review its own policies and procedures and make
changes. In addition, there should also be regular trainings conducted for IT people and
employees who have direct access to the system in order to avoid internal risk.
Likewise, the company should hire external system auditors in order to ensure
compliance and prevent incidents such as this. Lastly, the company must not forget
that technology has its own limitations, too. Continuous improvements are necessary.

IV.

CONCLUSION
The risk for cyber security attack is conspicuous and should not be taken lightly. As
implied by the case of TJX, investment into stateoftheart technology is a must.
Investment in technology may seem very expensive, but as the TJX incident shows, the
expenses after a major mishap could turn the company upside down. Due to new bills
and regulations, companies will have to pay for the damage they caused while huge
banks are trying to pay as little as possible. Hence, checking, monitoring and updating
security systems regularly is critical to prevent being an easy target for the growing
cybercrime community. The TJX case indeed was the worst data theft ever.

You might also like