The TJX companies breach, which took place in January 2007, is considered the biggest data breach ever recorded in terms of security breaches. This incident served as a wake-up call for businesses by emphasizing the significance of implementing strong security measures (Dash, 2007). TJX, the parent company overseeing retail chains such as TJ Maxx, Marshalls, and Homegoods, encountered a security system failure that enabled hackers to steal approximately 200 million customer records (Swann, 2007). The consequences of this breach led to damages valued at $4.8 billion (Swann, 2007).
Reports indicate that inadequate security measures led to a breach, endangering consumer data such as debit cards, credit cards, checking account information, and driver’s license numbers. The breach revealed three primary vulnerabilities: weak wireless network security, improper customer data storage procedures, and failure to encrypt customer account data. This breach occurred in two stages beginning in 2002 (Dash, 2007). In the initial phase alone, over 94 million individuals were impacted. The breach was executed via a wireless network and was relatively straightforward.
The attack, known as a protocol analyzer or sniffer attack (Gibson, 2012), involves running the analyzer to capture and save packets as a file for browsing later (Gibson, 2012). The TJX case investigation revealed non-compliance with the Payment Card Industry (PCI) data security standards established in 2004 by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International (Berg, Freeman, & Schneider, 2008).
The hackers utilized a telescope-like radio antenna in the parking lot of the store where the initial breach took place to intercept data. This enabled them to gain access to a wireless network that had inadequate security. The network was using a security protocol called wired equivalent privacy (WEP), which is not secure and easily accessible (Gibson, 2012). WEP has multiple security flaws and has since been replaced by more secure protocols like WPA and WPA2 (Gibson, 2012). In fact, researchers at Darmstadt Technical University in Germany successfully demonstrated that a WEP key can be broken in less than a minute (Berg, Freeman, & Schneider, 2008).
According to Berg, Freeman, & Schneider (2008), WEP does not meet industry standards that require the use of the stronger WPA protocol. The attackers first hacked into the store’s network and stole employees’ usernames and passwords. By using these credentials, they gained access to the main database at the corporate headquarters and created their own accounts within the employee database. Once they infiltrated the corporate network, they proceeded to breach security and collect credit card numbers and any desired customer information.
The TJX data breach occurred for approximately 18 months before TJX became aware of it. Reports indicate that the company’s data storage practices violated industry standards as they stored sensitive information, such as the full-track details, card-validation code (CVC) number, and personal identification number (PIN), which should not have been stored according to PCI Data Security Standard 3. Encrypting the data strongly could have prevented harm even if hackers gained access to inadequate customer records. It is clear that TJX did not comply with industry standards, particularly PCI Data Security Standard 3.4, which requires rendering the customer’s primary account number unreadable at a minimum. Additionally, PCI Data Security Standards 3.5 and 3.6 mandate protecting encryption keys used to safeguard customer data from disclosure or misuse by merchants. Gibson (2012) stresses the importance of safeguarding data from unauthorized users for maintaining confidentiality; however, in this case, there was a lack of protection. Although the organization authenticated their users internally, they failed to implement measures preventing intruders from accessing employees’ user IDs and passwords.
The use of a WEP wireless network connection did not provide protection against loss of confidentiality, granting intruders access to the system. The lack of integrity protection resulted in unauthorized modifications of data being undetected by TJX for years. The hackers were able to create their own IDs and passwords without the knowledge of the gatekeepers. The prevention of availability loss ensures that IT systems and data remain accessible as needed.
The data was available even when not needed, stored in an unencrypted format. Implementing advancements like encrypting customer data, securing the network, and regularly checking for vulnerabilities could have prevented this breach from recurring. Ultimately, the TJX companies’ lack of proper security measures caused dissatisfaction among customers and significant financial losses.
It is evident that the TJX companies were ill-prepared to handle such an event and neglected to take the necessary precautions to avoid it. The involvement of inexperienced employees responsible for network security contributed to this incident. External firms had previously alerted the TJX companies about the potential for a breach, but due to the inexperienced employees safeguarding their network, the warning was disregarded. If the TJX companies had complied with PCI standards and encrypted their data, the consequences of a system breach would have been significantly reduced or possibly eliminated.
Implementing security measures on all levels and educating employees could prevent reoccurrence. Additionally, testing for vulnerabilities would expose weak areas, helping to prevent reoccurrence.
Berg, G. G., Freeman, M. S., & Schneider, K. N. (2008). Analyzing the TJ Maxx Data Security Fiasco. CPA Journal, 78(8), pp. 34 – 37.
According to an article in the New York Times by Dash, E. (2007), a data breach at TJX could potentially impact millions of shoppers. The article can be found on page C. 9.
Gibson, D. (2012). Systems Security Certified Practitioner Exam Guide. McGraw-Hill.
Swann, J. (2007, April). Back From The Breach. Community Banker, 4, 34 – 38.