TJX Business, based in Framingham, MA, was a major participant in the discount rate fashion and retail market. The TJX brand had existence in the United States along with in Canada and Europe. In mid-2005, private investigators were made conscious of major security breaches experienced in TJX’s credit card system. These breaches were initially found at a Marshall’s located in St Paul, MN in which the hackers implemented a “war driving” strategy to take customer charge card information. This occurrence resulted in over 46 million debt and credit card numbers being jeopardized and is considered to be the biggest security breach in US history.
The security breach at TJX resulted in major members of the charge card association to develop the Payment Credit Market Data Security Standard (PCI DSS) in order to better regulate security requirements for merchants’ business charge card systems. More examination revealed that these breaches at TJX might be traced back to 2003. Some crucial aspects driving this scenario consisted of the following: TJX’s absence of cybersecurity sophistication (i.
e. use of WEP, severs constantly in administrator mode, etc.) General absence of awareness by the consumer in terms of steps taken to mitigate breach dangers Unforeseeable and inconsistent requirements set by PCI DSS
CASE FACTS AND ANALYSIS
The key difficulties TJX dealt with was executing cybersecurity into their overall business design and stressing its importance on a business level. This required management and IT to align their security strategies (under the rules and policies of PCI DSS) and take a “company back” approach, putting the concentrate on crucial service possession.
More particularly, different problems involving both TJX and the other players in the credit card payment network consist of: TECHNOLOGICAL UPGRADES/SOPHISTICATION: TJX found themselves utilizing the Wired Equivalent Personal Privacy (WEP) security protocol for protection, whereas more recent and more sophisticated innovation was readily available. Beginning in 2001, Wi-Fi Protected Access (WPA) was developed in order to better fight hackers. Also, in 2007 it was revealed that TJX saved both charge card numbers and expiration date information together in its system. ISSUES
Non-Compliance: WPA was required by PCI DSS, storing credit card numbers and expiration date information violated standards as well Reporting: Never acknowledged any of this in financial statements/reports RESPONSE
CIO decided to run risk of being compromised by sticking with outdated technology (WEP) LIABILITY/RESPONSIBILITY: One of the key issues is who should be held liable for the breaches? With so many parties involved in the credit card payment process, it’s difficult to define a certain group solely responsible. ISSUE
Lack of Legal Standards: no existing laws stating who should bear burden RESPONSE
Issues were to be handled legislatively, but process is long and drawn out Technology evolving faster than legislation
INCENTIVES/CONSUMER BEHAVIOR: Consumers were seemingly unaware of data breaching technology being implemented. ISSUE
Lack of awareness: difficult for stores to charge higher prices in order to provide better security (customers showed no change in preferences) SOLUTION
Played a role in TJX opting not to abide by certain PCI DSS standards as sales continued to grow despite these breaches. Looking at recommendations I would make, it’s important that management first recognize the function of cybersecurity in their overall business structure. They must maintain ongoing interactions with their IT specialists in order to make sure strategies implemented are continually evolving (weighing business opportunities versus business risks). In the article released by McKinsey titled Meeting the Cybersecurity Challenge, there is a focus on using a “business back” approach. In this context, an entity must target the most important business processes rather than focusing on any current technological vulnerabilities. More specifically I would recommend that TJX separate their company credit card information. As the article puts it, “Separating credit card numbers and expiration dates vastly complicates the task.” (p. 5) My personal takeaway from this case is the emphasis of this being a management issue, not just an IT issue. “Companies need to make this a broad management initiative with a mandate from senior leaders in order to protect critical information assets without placing constraints on business innovation and growth.” (p. 28) CASE SPECIFIC QUESTIONS
1. There is generally a lack of clarity as to who should bear the burden when it comes to data-breach liability contracts between merchants and banks. Many of these cases end up adjudicated or settled. Also, in 2009, the average total cost for a data breach incident was $6.75 million for merchants. TJX reported, in their expenses and reserves account, probable losses of $171.5 million (estimates were as much as $9 billion). In terms of card issuers (financial institutions), they assumed the risk for fraud or any issues with nonpayment. In the case we learn that these issuers usually “wind up footing the bill” (p. 27). They were looking to shift this responsibility to those who are actually involved in the fraud. 2. The root causes of this breach involve overall lax cybersecurity, no laws intact to sell to set standard, and a general lack of incentives to keep up with technology.
The case refers to an incident in which an employee chose to blog about TJX’s ineffective cybersecurity strategies. In this blog, it describes various dysfunctions that allowed hackers to gain access to important information with ease. In order to prevent such incidences from happening again, TJX could conduct simulated cyber-attacks. 3. It’s imperative that management and IT are aligned in their overall protection strategies, striving to function as one team rather than individual groups and departments. They need to make sure implementations/architectures are designed sufficiently in order to prevent data breaches. At the same time, these strategies must not be too inflexible that business suffers because of it. 4. PCI must continue to evolve its compliance policies. As noted in the article, there was a survey conducted by the Ponemon Institute. Of the 517 security experts involved, 60% agreed that their organization did not have the resources available to reach and maintain compliance with PCI DSS. The government needs to focus on liability issues with these breaches, as risk of larger incidences increases.
Walker, Russell. “Maxxed Out: TJX Companies and the Largest-Ever Consumer Data Breach.” Kellogg Case Publishing, 2013.
Kaplan, James, Sharma, Shantnu, and Weinberg, Allen. “Meeting the cybersecurity challenge.” McKinsey Quarterly, 2011.