Case Studies : THE WORST DATA THEFT EVER?

Case Studies The Worst Data Theft Ever, MIS

 Summary:

This case study is about one of the biggest theft of credit and debit cards information. The TJX Company the leading off-price retailer of apparel and home fashions in the U.S. TJX operates four major divisions with chains that include T.J. Maxx, Marshalls, and Home Goods in the U.S. Winners, Home Sense, and Marshalls in Canada, and T.K. Maxx and Home Sense in Europe. December 18, 2006 the TXJ Companies management was informed that its computer system had been infiltrated with suspicious software, and the intruders had stolen records with at least 45.7 million credit and debit card numbers. The hackers obtained also information such as: social security numbers, military identification, driving licenses of more than 451.0000 customers. This is considered the biggest theft of cards in history also because the thefts took place over eighteen month period without anyone knowledge. First time the problem was discovered at credit-card issuers such as Fidelity Homestead and the Louisiana savings bank. While its customers were dealing with the consequences of Katrina Hurricane, their accounts started to show strange shopping transactions from South California and Mexico.

Q1: List and describe the security control weaknesses at TJX companies.

1) TXJ Companies computer system is infiltrated

2) Suspicious software

The credit card data theft at TJX Companies is considered one of the worst ever. The case is significant because of a lack of appropriate security and control. The firewalls that TJX use and had in place did not have enough security. The hackers also used mobile data access technology to decode data transmitted wirelessly between handheld price-checking devices, cash registers, and the store’s computers. TJX was using an outdated encryption system, which made it easy for hackers to crack. The hackers stole user names and password to setup their own TJX account using handheld equipment and also used the data to crack encryption codes.

Q2: What management, organization, and technology factors contributed to these weaknesses?

Rogue software program that attaches itself to other software programs or data files in order to be executed. Independent computer programs that copy themselves from one computer to other computers over a network. Software program that appears to be benign but then does something other than expected. Small programs install themselves surreptitiously on computers to monitor user Web surfing activity and serve up advertising. Record every keystroke on computer to steal serial numbers, passwords, launch Internet attacks.

Q3: What was the business impact of TJX ‘s data loss on TJX, Consumers and banks?

TJ Maxx data breach has rocked the retail and banking industry, and many estimate that it will cost hundreds of millions or even billion-plus dollars in financial damage. It was already widely reported back in March that the TJ Maxx breach was probably due to an insecure wireless network.

Q4: How effectively did TJX deals with these problems?

In 2008 the TJX management decided to strengthen its Information system. Around $300 million were spent by the banks to replace the stolen cards and recover losses. In fiscal 2009 TJX paid $225 million for the settlement of the theft, which was expected to reach $1 billion.

Q5. What solutions would you suggest to prevent the problems?

TJX was still using the old Wired Equivalent Privacy (WEP) encryption system, which is relatively easy for hackers to crack. Other companies had switched to more secure WI-FI Protected Access (WPA) standard with more complex encryption, but TJX did not make the change. An auditor later found that TJX had also neglected to install firewalls and data encryption on many of the computers using the wireless network, and did not properly install another layer of security software.

• Software controls

• Hardware controls

• Computer operations controls

• Data security controls

• Implementation controls Administrative controls