You are on page 1of 3






TJX, the leading off-price retailer of apparel and home fashions in the U.S., was a
victim of the biggest data theft involving credit and debit cards information. TJX
operates chains of department stores in the U.S. including T.J. Maxx, Marshalls, Home
Goods, A.J. Wright Stores, and Winners and Home Sense in Canada. It all started when
conspirators identified a vulnerable network at a Marshall’s department store in Miami
and used it to install a sniffer program on the computers of the chain’s parent
company, TJX. Consequently, the hackers were able to access the central TJX database,
stealing 45 million credit and debit card numbers from its chain stores’ customer


1. List and Describe the security control weaknesses at TJX Companies.
o They are still using the outdated Wired Equivalent Piracy (WEP) encryption

system which is relatively easy for hackers to crack.
TJX neglected to install firewalls and data encryption on many of its computers


using the wireless network.
TJX did not properly install another layer of security software that it had


The companies transmitted credit card to banks without encryption, violating


credit card company guidelines.
TJX retained cardholder data in its systems much longer than stipulated by
industry rules for storing such data.

2. What management, organization, and technology factors contributed to
these weaknesses?
As to people, the hackers themselves are to be blamed because of their illegal and
unethical activities. But because of self-interest and drive for money, the conspirators
performed such cybercrime mindless of the catastrophe they can cause to TJX, the
credit card industry, and the victims of theft.
As to organization, TJX and card issuing facilities such as banks should have been
more responsible enough in protecting the confidentiality of the information entrusted
in them. TJX and the credit card companies were complacent of their existing security
system. TJX particularly did not follow industry protocols and credit card company
guidelines. Likewise, had banks were stricter in implementing and monitoring
compliance of companies’ credit card transactions and alerted clients for red flags, the
damage should have been less. Similarly, companies were so driven with short-term

however. the fiasco was the result of TJX management negligence and noncompliance with credit card guidelines and industry standards in data processing and storage.profits that they were reluctant to invest significantly on foolproof security system and ignore protocols to maximize their gains. How effectively did TJX deal with these problems? In 2008 the TJX management decided to strengthen its Information system. but. The credit card issuers or banks should also take responsibility. there is no such thing as “foolproof” because overtime technology needs to change and upgrade because in time culprits would eventually figure out how to hack the system. . Banks should have monitored and audited business transactions and immediately alerted clients for red flags or suspicious transactions in order to minimize losses. Consumers and banks? TJX’s data breach has rocked the retail and banking industry. But losses should not be solely shouldered by TJX. They should also be more stringent with regard to approving credit card transactions. TJX contingency measures are on the right track. the effects of security breach may be way more costly. 4. whether or not they have regained back their customers’ trust is still uncertain. Who should be held liable for the losses caused by the use of fraudulent credit cards in this case? TJX? The banks issuing the credit cards? The consumers? Justify your answer. the incident would surely leave a valuable lesson to every business. TJX paid $225 million for the settlement of the theft which was expected to reach $1 billion in 5 years after implementing security upgrades. First of all. additional marketing expenses. and many estimate that it will cost hundreds of millions or even billion-plus dollars in financial damage. 6. What solutions would you suggest to prevent the problems? A company as huge as TJX must implement the following controls: • Software controls – TJX must constantly upgrade their security systems in order to prevent being vulnerable to internal and external threats. may it be big or small. In fiscal 2009. Companies must weigh the costs over benefits of implementing security measures in one’s business system. As to technology. What was the business impact of TJX ‘s data loss on TJX. and consultancy fees. They were also partly at fault. Because of the hugeness of the financial losses incurred by both TJX and the credit card issuers. 5. Investing in system’s security may cost significantly. Around $300 million were spent by the banks to replace the stolen cards and recover losses. 3.

fingerprint or voice recognition security protocols when necessary. Continuous improvements are necessary. RECOMMENDATION The risk for security breach is conspicuous and should not be taken lightly. III. the company should hire external system auditors in order to ensure compliance and prevent incidents such as this. lock keys. In addition. Investment in technology may seem very expensive. CONCLUSION The risk for cyber security attack is conspicuous and should not be taken lightly. Hence. too. • Data security controls – TJX must control data access intended for authorized personnel only using high level encryption. The TJX case indeed was the worst data theft ever.• Hardware controls – TJX must also secure its hardware that maintains the system. IV. WAN. but as the TJX incident shows. Due to new bills and regulations. As implied by the case of TJX. Web and database) security. companies will have to pay for the damage they caused while huge banks are trying to pay as little as possible. the expenses after a major mishap could turn the company upside down. • Implementation & Administrative controls – Rigid training must be conducted for IT people and employees who have direct access to the system in order to avoid internal risk. Lastly. passwords. comprising numerous chains all over north America. Likewise. It must invest on system security upgrades and must follow protocols and guidelines accordingly. - . checking. The company should also review its own policies and procedures and make changes. there should also be regular trainings conducted for IT people and employees who have direct access to the system in order to avoid internal risk. Perimeter security must include installation of routers and hardware upgrades. it must also establish its own security operating center for monitoring its systems (including LAN. Companies like TJX must do their part in protecting client information at all costs. • Computer operations controls – Since TJX is a huge retailer. investment into state‐of‐the‐art technology is a must. the company must not forget that technology has its own limitations. monitoring and updating security systems regularly is critical to prevent being an easy target for the growing cybercrime community.