1.Identify & describe the failure points in TJX’s security that requires attention (including, but not limited to: People, Work Process, and Technology)? After analyzing the Ivey case on TJX data fiasco, I would say there were three major failure points that caused this $168MM financial hit to the corporation. •Technology: it is obvious that TJX had several technology deficiencies mainly driven by systems limitations and vulnerability. For example, inadequate wireless network security allowed the hackers to attack specific stores just by using a laptop and an antenna which permitted the thieves access to the central database. As it was mentioned in the business case, TJX was using (WEP) as the security protocol and it is well-known in the e-commerce arena that WEP encryption can be deciphered in less than one minute which makes it very unreliable and risky for business transactions. Last but not least, TJX failed to encrypt customer data. •Auditors: it is concerning that TJX passed a PCI DSS check up and that non auditor noticed the technology issues TJX was facing. •Executives at TJX: It is evident that the company wasn’t in compliance with the Payment Card Industry (PCI) standards. Primarily, the person in charge of the IT department should have been on top of ensuring TJX to be in compliance, by setting expectations and objectives pertained to security within its organization. In addition to the head of IT, I would also find guilty, all the other executives in the company responsible for the health of the business. Secondly, TJX violated industry standards by storing full track records from each customer.
2.How should the company’s IT security be improved and strengthened? TJX IT security could be improved and strengthened by doing the following: •Implementing good security governance: as we know TJX didn’t have any auditing access on a regular basis neither they were monitoring or having log data to do forensic analysis.
•Improve wireless security: TJX needs to upgrade its wireless security immediately. In different articles I read on TJX, at the time of the security breach they were using the weakest wireless security protocol WEP instead of the WI-FI protected access (WAP). •Customer’s sensitive data: TJX needs to identify and control where customer sensitive data is being store, for example TJX was storing this type of information on local machines without any type of regulation.
3.What should its short-term priorities and long-term plans be? Short term priorities:
•Implement a security training program for IT employees and any employee manipulating customer sensitive data
•Identify the weak system areas that intruders may attack •Establish periodically auditing check up points.
•Complete financial analysis on the $ cost / benefit investment needed to upgrade technology security. Technology is expensive; however, data breaches are even more expensive. Long term priorities:
•The CIO role in the company needs to be clearly identified along with accountabilities and objectives for him and his organization, including preventing security breaches. •Since E-Commerce and technology evolves every day, developing a team or process to stay on top of potential business risks associated to security.
4.Was TJX a victim of ingenious cyber crooks or did it create risk by cutting corners? TJX created its own risk because it had so many deficiencies in its data security processes and it lack of good quality wireless security. The best proof that TJX created its own risk is the fact that intruders were able to access the central database containing customer sensitive information for a long period of time (between July 2005 and January 2007) before this issue was identified and law enforcement officials were notified to investigate.
5.How do smart, profitable retail organizations get into this kind of situation and what can other retail organizations learn from TJX in order to avoid getting into this situation? TJX data breach is being considered as the largest data theft ever so there is a lot to be learned from it. In question # 3, some of these learning and how to prevent more data breaches in the future were addressed. However, the most important lesson learned from this incident is that retailers need to invest in security technology with or more enthusiasm as they invest on CRM tools to increase revenues. If we look at the financial data provided (exhibit 1), TJX Net sales were growing year-over-year at an average of 7% to 8% because of the company focus on “profitable growth sales”. The total cost TJX booked associated to the data breach was $168MM which represents close to a 1% of the 2007 Net Sales. If a cost / benefit analysis should had
being completed to compare the $ investment needed to implement state-of the-art data security I’m positive it would had cost to the company much more less than $168MM. TJX emphasis on profitable sales was good business strategy, however, it ended up losing money by being neglected on data security.
