TJ MAXX BREACH

“TJ MAXX BREACH”

Harold Bishop

CSIA 301

UMUC

November 16, 2012

Abstract

TJX, a retailer company that is based in Massachusetts operates Marshalls, T.J. Maxx, and other stores. The store and its subsidiaries accept electronic payment through Visa and Master Cards in addition to cash payment. The retailer electronic payment system suffered a major blow when it was hack in 2006. The breach compromised customers’ debit and credit card details. T.J. Maxx revealed the extent of the crime amounted to about 45.6 million debit card and credit card numbers were stolen. A mere fact that hackers managed to access such a large amount of information signifies that T.J. Maxx was either unsuccessful in truncating and encrypting card numbers or it did not secure its encryption keys. This study will focus on circumstances of how the breach occurred, losses of confidentiality, integrity, and availability after the breach and suggest technological improvements to prevent further recurrence. Various sources of literature will be explored to create and understanding of security stems and how the T.J. MAXX system fell to the might of hackers.

Introduction

T.J. Maxx is one of the subsidiaries of TJX companies. TJX is a large chain of departmental stores based in Massachusetts. The company retails home based apparel and fashion. The company operates Marshalls, T.J. Maxx and other stores. The TJX Company has yearly sales revenue that exceeds fifteen billion dollars. The company accepts electronic payment through its network, where buyers can use Visa Cards and Master Card to pay for goods. The store was however, complacent in protecting it networks electronic payment system, and as a result, it experienced the worst network system breach ever. The security breach occurred when hackers breached the database of the company and stole confidential data of customers. The number of customers whose information was affected was over forty five million. Records show that the company experienced a system breach in late December (Oram & Viega, 2009). The hackers breached the system of T.J. Maxx by getting unauthorized access to information of the customers’ check clearing, debit cards and credit cards. It was one of the biggest data breaches ever recorded. Cyber security or hacking breach can be performed for various reasons. Such reasons can include data duplication, unauthorized data extraction, data tampering, data exfiltration, data deletion, data eavesdropping, data downloading, malicious data attack and data spoofing. This study will focus on circumstances of how the breach occurred, losses of confidentiality, integrity, and availability after the breach and suggest technological improvements to prevent further recurrence.

This was a security breach because hackers intentionally misused a network system to access data in a manner that adversely affected the security of T.J. Maxx’s data and systems operations. Threats of Cyber security at times are often complex, varied and evolving. People that accomplish Cyber security breaches are usually very motivated. As a result, they even strive to breach systems that are very secure. Given that Cyber security can hardly be fool proof, preventive measures should be introduced to network system to assist in reducing the threats of exposing risks to hackers.

Gallaher, HYPERLINK “https://www.google.com/search?hl=en&sa=G&tbo=d&tbm=bks&tbm=bks&q=inauthor:%22Albert+N.+Link%22” Link & Rowe (2008) state that, a good number of Cyber security breaches habitually cause loss of sensitive, valuable and confidential data. Security breach can also target to disrupt or damage a network system or utilize a system in an unauthorized manner. In essence, a Cyber security breach allows hackers to contravene the internal utilization of a system. T.J. Maxx Company had kept a lot of personal information about their clients for a long period. Their security system was feeble and had a weaker encryption technology. It became very vulnerable to hackers. Hackers managed to mine, extract and also download personal information that belonged to more than forty five million T.J. Maxx clients. The debit cards and credit cards data was later on encoded on false credit cards, and utilized in buying merchandise that was worth over a million US dollars from the Wal-Mart retail stores.

Lewis (2003) posts that the security breach lead to loss of their customer’s personal information such as details of credit cards, details of personal, social security, as well as details and numbers of driving licenses. Hackers were able to download those details after intruding into the network system of the company. It was possible to breach the security because the wireless network system had weak encryption codes. Clients’ credit cards and debit cards had a lot of stored information on their magnetic strips. The information is normally in an unencrypted format, which makes it visible to computer swipe systems as plain text. As a result, swiping credit cards and debit cards on a stores terminal or merchants’ terminal’s to pay for purchased goods, data and details of clients get transmitted to a payment network system from a payment terminal.

The transfer process is relatively fast and only takes a few seconds to reach its final destination. Nevertheless, data is very vulnerable on that journey. Within a short period that data travels through the network, hackers that have access to the network system are able to steal information of customers. Hackers can access the network system by unlocking the system data codes used for securing the system or penetrating security firewalls. In the same way, hackers could have penetrated the T.J. Maxx security firewalls as the company was using a frailer encryption method. Hence the hackers easily unlocked the data codes and managed to download a lot of customer’ confidential details.

The hacker used the stolen data in encoding fake credit cards to be used by impersonators in purchasing merchandise in other retail stores. The suspects arrested with fake credit cards confessed to have bought the stolen information from undisclosed hackers. This means that the hackers sold the stolen clients information to imposters that bid with the highest amount. For that reason, a loss of data confidentiality was evident as most users of debit and credit cards provided their personal information to the card companies assuming that personal details they unveiled will only be applied in expediting their business transactions. Chances for such information landing in the wrong hands were high. The position put those clients in vulnerable situations both security wise and also in terms of monetary losses resulting from the abuse of given information (Shoemaker, Conklin & Conklin, 2011).

This argument can crop up taking into account that credit and debit cards normally contain details that can provide a hacker with the customers’ place of work, residential addresses, occupation and other confidential information that would have been confidential in the hands of trusted systems. This type of loss can lead in loss of confidence in the institutions that offer goods and services and respond by acquiring confidential information to allow those transactions to continue. It is due to this assumption that clients deem that details they give remains confidential enabling a majority of service providers to offer very personalized services. When people find out that their information has landed in the wrong hands, they feel cheated and will be unable to anticipate or predict the future activities of hackers besides losing their money.

 One thing that makes large organizations like T.J. Maxx attractive to hackers would be because they are personal information goldmines. According to HYPERLINK “https://www.google.com/search?hl=en&sa=G&tbo=d&tbm=bks&tbm=bks&q=inauthor:%22David+A.+Powner%22” Powner (2010), all organizations that conduct business transactions with customers using other payment methods apart from cash are vulnerable too. This is because if those transactions transact through debit and credit cards then they certainly have more consumer details packed with confidential data. It is based on the data that they have and that most of their customers assume that people that access their information should be individuals of high integrity that can maintain the confidentiality of consumers’ information.

In this age where IT is playing an important role, Cyber security is not an option; it is a prerequisite. Organizations and clients are spending millions of dollars annually to invest in solutions of Cyber security. Their efforts aim at protecting their databases and systems from external threats and viruses. With the extensive use of online transactions, there are a number of misunderstandings about Cyber security and their capabilities. Improving information security to prevent future recurrence of breach will necessitate a reconsideration of the critical elements of the Internet. Particularly the need for anonymity on the network is important. To lessen the vulnerability to other e-mail security scams and phishing organizations must install proficient enterprise level email security software. This software will assist in checking both outgoing and incoming messages to enable spam messages not to be transmitted when the network system is compromised. Additionally, organizations should regularly train network staff about Internet security to allow those users to be aware of e-mail scams (Wilshusen, 2010).

To prevent future recurrence, data security should be promoted in case a device is stolen or lost. Data on devices that store sensitive customers’ details should be encrypted. Higher data encryption, anti-malware solutions and user authentication must be enforced. Moreover, implementation of a strict usage policy on all mobile devices will help in monitoring the network for any malicious activity. Another way of preventing future occurrences of breach is to do regular network scans using a freeware programs such as Net View. Regular scans will allow the network administrator to recognize if an imposter has installed new equipment on the network. As well, patching and updating should be performed regularly. Updating application software and operating system is a good way of preventing breach attempts that are initiated from outside the perimeter of the network. Product such as Microsoft Baseline Security Analyzer is effective in ensuring that network computers under your care are updated and have all of the needed patches.

To protect information from being easily accessible or reduce the security risks, the organizations should ensure that they do not gather a lot of irrelevant personal details. The collected data must also not be kept for so long (Theohary, 2010). Organizations must also use a network system with a complex encryption codes to minimize risks of exposing transmitted data to hackers from the card swipe point to the payment network.

References

 Gallaher, M., HYPERLINK “https://www.google.com/search?hl=en&sa=G&tbo=d&tbm=bks&tbm=bks&q=inauthor:%22Albert+N.+Link%22” Link, L. & Rowe, R. (2008). Cyber Security: Economic Strategies and Public Policy Alternatives. Cheltenham: Edward Elgar publishing.

Lewis, J. (2003).Cyber Security: Turning National Solutions Into International Cooperation. Washington, DC: The CSIS Press

Oram, A., & Viega, J. (2009). Beautiful Security: Leading Security Experts Explain How They Think. Sebastopol, CA: Farnham : O’Reilly

HYPERLINK “https://www.google.com/search?hl=en&sa=G&tbo=d&tbm=bks&tbm=bks&q=inauthor:%22David+A.+Powner%22” Powner, D. (2010). Cybersecurity: Key Challenges Need to be Addressed to Improve Research and Development. New York: Diane Publishing.

Shoemaker, D., Conklin, W. & Conklin, A. (2011). Cybersecurity: The Essential Body of Knowledge. New York: Cengage Learning.

Theohary, C. (2010). Cybersecurity: Current Legislation, Executive Branch Initiatives, and options for congress. New York: Intelligence and National Security Alliance.

Wilshusen, G. (2010). Cybersecurity: Progress Made But Challenges Remain in Defining and Coordinating The Comprehensive National Initiative. New York: Diane Publishing.