TJX Companies, based in Framingham, MA, was a major participant in the discount fashion and retail industry. The TJX brand had presence in the United States as well as in Canada and Europe. In mid-2005, investigators were made aware of serious security breaches experienced in TJX’s credit card system. These breaches were first found at a Marshall’s located in St Paul, MN in which the hackers implemented a “war driving” tactic to steal customer credit card information. This incident resulted in over 46 million debt and credit card numbers being compromised and is considered to be the largest security breach in US history. The security breach at TJX resulted in major members of the credit card association to establish the Payment Credit Industry Data Security Standard (PCI DSS) in order to better regulate security needs for merchants’ company credit card systems. Further investigation revealed that these breaches at TJX could be traced back to 2003. Some key factors driving this situation included the following: TJX’s lack of cybersecurity sophistication (i.e. use of WEP, severs always in administrator mode, etc.) Overall lack of awareness by the consumer in terms of steps taken to mitigate breach risks Unpredictable and inconsistent standards set by PCI DSS
CASE FACTS AND ANALYSIS
The key challenges TJX faced was implementing cybersecurity into their overall business model and emphasizing its importance on a corporate level. This required management and IT to align their security strategies (under the rules and regulations of PCI DSS) and take a “business back” approach, putting the focus on important business asset. More specifically, various issues involving both TJX and the other players in the credit card payment network include: TECHNOLOGICAL UPGRADES/SOPHISTICATION: TJX found themselves using the Wired Equivalent Privacy (WEP) security protocol for protection, whereas newer and more advanced technology was available. Starting in 2001, Wi-Fi Protected Access (WPA) was created in order to better combat hackers. Also, in 2007 it was revealed that TJX stored both credit card numbers and expiration date information together in its system. ISSUES
Non-Compliance: WPA was required by PCI DSS, storing credit card numbers and expiration date information violated standards as well Reporting: Never acknowledged any of this in financial statements/reports RESPONSE
CIO decided to run risk of being compromised by sticking with outdated technology (WEP) LIABILITY/RESPONSIBILITY: One of the key issues is who should be held liable for the breaches? With so many parties involved in the credit card payment process, it’s difficult to define a certain group solely responsible. ISSUE
Lack of Legal Standards: no existing laws stating who should bear burden RESPONSE
Issues were to be handled legislatively, but process is long and drawn out Technology evolving faster than legislation
INCENTIVES/CONSUMER BEHAVIOR: Consumers were seemingly unaware of data breaching technology being implemented. ISSUE
Lack of awareness: difficult for stores to charge higher prices in order to provide better security (customers showed no change in preferences) SOLUTION
Played a role in TJX opting not to abide by certain PCI DSS standards as sales continued to grow despite these breaches. Looking at recommendations I would make, it’s important that management first recognize the function of cybersecurity in their overall business structure. They must maintain ongoing interactions with their IT specialists in order to make sure strategies implemented are continually evolving (weighing business opportunities versus business risks). In the article released by McKinsey titled Meeting the Cybersecurity Challenge, there is a focus on using a “business back” approach. In this context, an entity must target the most important business processes rather than focusing on any current technological vulnerabilities. More specifically I would recommend that TJX separate their company credit card information. As the article puts it, “Separating credit card numbers and expiration dates vastly complicates the task.” (p. 5) My personal takeaway from this case is the emphasis of this being a management issue, not just an IT issue. “Companies need to make this a broad management initiative with a mandate from senior leaders in order to protect critical information assets without placing constraints on business innovation and growth.” (p. 28) CASE SPECIFIC QUESTIONS
1. There is generally a lack of clarity as to who should bear the burden when it comes to data-breach liability contracts between merchants and banks. Many of these cases end up adjudicated or settled. Also, in 2009, the average total cost for a data breach incident was $6.75 million for merchants. TJX reported, in their expenses and reserves account, probable losses of $171.5 million (estimates were as much as $9 billion). In terms of card issuers (financial institutions), they assumed the risk for fraud or any issues with nonpayment. In the case we learn that these issuers usually “wind up footing the bill” (p. 27). They were looking to shift this responsibility to those who are actually involved in the fraud. 2. The root causes of this breach involve overall lax cybersecurity, no laws intact to sell to set standard, and a general lack of incentives to keep up with technology.
The case refers to an incident in which an employee chose to blog about TJX’s ineffective cybersecurity strategies. In this blog, it describes various dysfunctions that allowed hackers to gain access to important information with ease. In order to prevent such incidences from happening again, TJX could conduct simulated cyber-attacks. 3. It’s imperative that management and IT are aligned in their overall protection strategies, striving to function as one team rather than individual groups and departments. They need to make sure implementations/architectures are designed sufficiently in order to prevent data breaches. At the same time, these strategies must not be too inflexible that business suffers because of it. 4. PCI must continue to evolve its compliance policies. As noted in the article, there was a survey conducted by the Ponemon Institute. Of the 517 security experts involved, 60% agreed that their organization did not have the resources available to reach and maintain compliance with PCI DSS. The government needs to focus on liability issues with these breaches, as risk of larger incidences increases.
Walker, Russell. “Maxxed Out: TJX Companies and the Largest-Ever Consumer Data Breach.” Kellogg Case Publishing, 2013.
Kaplan, James, Sharma, Shantnu, and Weinberg, Allen. “Meeting the cybersecurity challenge.” McKinsey Quarterly, 2011.