TJX Security Breach
Abstract
Security breaches to information systems especially computers is an ever present risk which should not be ignored. They should always be taken into consideration and measures against them put up.
Keywords: Decryption: Process of transforming an encrypted message into its original plaintext. Encryption: Transformation of data (called “plain text”) into a form (called “cipher text”) that conceals the data’s original meaning to prevent it from being known or used.
Areas that require attention:
People
The TJX security breach would have not been as bad had there not been errors performed by people. One of them was the fact that the company kept too much personal information. It was used in business transactions. The “Framingham system” processed and stored information pertaining to debit and credit card, cheque and unreceipted merchandise-return transactions for customers of T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the United States and Puerto Rico, and of Winners and HomeSense stores in Canada.
The “Watford system” processed and stored information related to payment card transactions at T.K. Maxx. The information, received in the Framingham system from its stores in the United States, Puerto Rico and Canada, pertained to returns of merchandise without receipts and some cheque transactions. The personal information consisted of driver’s license numbers and identification (ID) numbers (such as military and state ID, in some cases including social security numbers), together with names and addresses of the customers who had returned goods. Jeanne Ross and Peter Weill (2002)
Work process
Work processes is also flawed and requires attention because it relies too heavily on internal information systems for off-prices stores and staying competitive. This enables rapid delivery of data, facilitating quick decisions at different levels. http://www.washingtonpost.com
Technological failure
But perhaps the technological failure is what requires most attention. Since we learn of this security breach as a hacking, then there must have been technological failures. Had the systems technology security up so task, this would probably never happened. http://www.privcom.gc.ca/index_e.aspThe process of encryption needs attention in it cannot prevent decryption from external unauthorized sources. Wireless attack by use of hand held guns that tell the price of commodities capture the companies IP addresses. The USB drives contained a utility program that let the intruder or intruders take control of these computer kiosks and turn them into remote terminals that connected into TJX’s networks. The firewalls on TJX’s main network weren’t set to defend against traffic coming from the kiosks. Typically, the USB drives in the computer kiosks are used to plug in mice or printers. Processing logs also need an important look into because it has been noted that there are no processing logs to provide information about files on the system. For technology to show its use, it must show its compliance practises, something which is lacking. The absence of network monitoring, the absence of logs and the presence of unencrypted data stored on the system plus the retention of years of customer data shows a problem in auditing practices.
What can be done
TJX can improve on several things especially on the various failure points. Those to do with the people at TJX and the decisions they make. All actions taken whether in the work process in the technology field require sound decision first. This can be through consulting especially with specialist who will best recommend steps to take. The company should also learn not to rely too much on electronic information systems to do various crucial interactions. In the case of in practicability in any other way, it would be essential to secure this form of interaction as TJX entirely relies on it. http://www.privcom.gc.ca/index_e.aspThe systems technology is what requires most intervention though. Old methods of encryption need to be replaced with new ones as hackers keep up with technology and TJX encryption processes was no match for the decryption process of the hackers. The same goes for the wireless connections but more back up security should be enhanced to counter ongoing hacking. http://www.washingtonpost.com This is because hacking through wireless connections can be detected in real time and can be predicted such as the peak sales period. Jeanne Ross and Peter Weill (2002) The firewalls on TJX’s USB drives main network should be set to defend against traffic coming from the kiosks. TJX should processing log data to provide forensic analysis about files in the system. Almost in line with the recommendation at the people level is compliance with regulations. It compliance obliged this kind of breach would not have taken place. TJX also has to start providing network monitoring, logs and had to get rid of unencrypted data in the system. http://www.privcom.gc.ca/index_e.aspAmong the mentioned recommendations technological changes especially on encryption, wireless connections and auditing practices should be given immediate priority. Processing logs and compliance practices if applied over the long term will greatly reduce the risk of another breach.
TJX Security Breach could have been avoided
Ultimately had TJX taken more precaution, this would not have happened. Jeanne Ross and Peter Weill (2002)TJX was leading company very big and three times larger than its immediate competition. It also took home profits in its billion and a company like that out to have taken a step to prevent it. http://www.washingtonpost.com It also let down its loyal customers and were the innocent victims of incompetence. It can also be questioned why this had to happen to such a big company and not take place at others. It can be concluded that the risk of hacking was not regarded as serious and therefore TJX did not do much prevent it.
References
http://www.washingtonpost.com/wpdyn/content/article/2008/01/12/AR2008011200275.html?wpisrc=newsletter
http://www.privcom.gc.ca/index_e.asp.
Jeanne Ross and Peter Weill, “Six Decisions Your IT People Shouldn’t Make,” Harvard Business Review, November 2002