Running Head: SECURITY BREACHES 1

Security Breaches

Name

School Affiliation
SECURITY BREACHES 2

Abstract

In our world today, money is becoming virtual. Because of this reason, fraudsters are also

going digital while trying to access this cash. Moreover, there is increased cases payment card

information being stolen. This paper will look at the case of TJ Maxx (TJX) which is the largest

off-price retailer of clothing in the US when hackers accessed their customers credit card

information. This company saw over 45 million credit and debit card numbers being lost thus

leading to a huge amount of fraudulent transactions because of weak security systems in at least

a single store. The result of this was loss of trust that customers had on the store, something that

affected its sales.

TJX is a company that operates more than 800 stores in the United States. They are

successful, and part of that success could be attributed to the fact that they had embraced

technology which they used to make their work more efficient. They used this technology within

their stores, however, in January 17, 2007, the company announced that their system had been

compromised and their customers credit card data had been stolen (Schuman, 2007). The

consequences of this was seen on their stock prices which plummeted by 10 percent in the days

that followed.

This breach happened in one of their sites that is located near St. Paul in Miami. It is

stated that in July 2005, hackers had started accessing local computer system in this store in

order to get access to the whole TJX network (McMillan, 2008). This store utilized a price

checking device that was wireless in order to reduce the amount of wires that were being used in

the store. The data that was submitted was then received by a server that required employee log

in. In the initial phase of this theft, it is said that the hackers streamed data to their laptop by

using antennas to catch the radio during peak hours. At that moment their identity was still
SECURITY BREACHES 3

unknown, but people suspected that they were hackers hailing from Romania based on the style

in which they compromised the system.

The source of this breach has not yet been determined, but there are conflicting accounts.

One is the one stated where it is believed that hackers took advantage of the system that was

poorly encrypted and stole the payment cards information during a wireless transfer between two

stores in Miami, Fl (Bradner, 2007). The other account alleges that the hackers broke into their

network through the in-store kiosk where people could apply for a job electronically. It is argued

that there is a possibility that there was no firewall in the TJX network to protect it from being

hacked (Schuman, 2007). Albert Gonzalez was the hacker behind those hackings, and he was

convicted and sentenced to two 20 years terms in prison, 11 other people were also arrested in

connection to this (Bradner, 2007).

In order to understand how this hacking occurred, there is need to look at the technical

background of the system used by TJX. During that time, there were two important standards

that they dealt with wireless encryption; the first standard was the Wired Equivalent Privacy

(WEP) Standard that was brought forward in 2000 while the second one was WiFi Protected

Access (WPA) developed in 2003 brought forward three years later. Several WEP could be easily

hacked, and due to this reason WPA standards were developed (The TJ Maxx, n.d). This standard

does not only have a better system of authentication and better encryption, it also provides its

user with a higher payload integrity (Cereola, & Cereola, 2011). However, in order for this

higher security to be achieved, there I need to use appropriate software and devices. The

unfortunate thing is that TJX had failed to upgrade their system to this new standard, WPA (The

TJ Maxx, n.d). Moreover, the store that was located near ST. Paul had not installed as well as

configured the whole security software as it was expected. The result of this is that the hackers
SECURITY BREACHES 4

managed to access the local system easily where they were able to create their own user accounts

that had full administrator rights.

Managers of every local store had been given access to the central database since they

had to synchronize the data of each store with the whole company (The TJ Maxx, n.d). Some of

the information that was contained in this data were contact information as well as information

of the payment cards. The hackers were able to intercept all the data that had been processed in

the store during business hours (Xu, Grant, Nguyen, & Dai, 2008). This included the information

that was unencrypted during the process of payment cards approval. The hackers were also able

to create procedure in the companys database in order to back up the existing payment card

details by utilizing the decryption tool of the company software.

Among the measures that have been taken by TJX include adopting firewall and using the

latest systems that are more secure. However, the most important measure that they have taken to

comply with PCI security standards. The company was required to have complied with these

standards as early as 2004, but they were reluctant (The TJ Maxx, n.d). PCI standards needs

merchants to limit the amount of card information storage as well as the time in which his

information is retained to on that is required by business or any other legal purpose.

SECURITY BREACHES 5

References

Bradner S. (Jan 29, 2007). TJX security breach aftermath: a case study in what to do wrong.

Retrieved from http://www.networkworld.com/article/2303490/lan-wan/tjx-security-

breach-aftermath--a-case-study-in-what-to-do-wrong.html

Cereola, S. J., & Cereola, R. J. (2011). Breach of data at TJX: An instructional case used to study

COSO and COBIT, with a focus on computer controls, data security, and privacy

legislation. Issues in Accounting Education, 26(3), 521-545.

McMillan R. (May 27, 2008). TJX Staffer Sacked After Talking About Security Problems.

Retrieved from http://www.csoonline.com/article/2122737/identity-theft-prevention/tjx-

staffer-sacked-after-talking-about-security-problems.html

Schuman, E. (2007).The TJX Data loss and security breach case. Retrieved from

http://sydney.edu.au/engineering/it/courses/info5990/Supplements/Week07_Malware

%26Security/Supp07-4TJXCaseDetails.pdf

The TJ Maxx Credit Card Incident (n.d.). Retrieved from

http://tlotzke.myweb.usf.edu/tjx_creditcard.pdf

Xu, W., Grant, G., Nguyen, H., & Dai, X. (2008). Security Breach: The Case of TJX Companies,

Inc. Communications of the Association for Information Systems, 23(1), 31.