Professional Documents
Culture Documents
Security Breaches
Name
School Affiliation
SECURITY BREACHES 2
Abstract
In our world today, money is becoming virtual. Because of this reason, fraudsters are also
going digital while trying to access this cash. Moreover, there is increased cases payment card
information being stolen. This paper will look at the case of TJ Maxx (TJX) which is the largest
off-price retailer of clothing in the US when hackers accessed their customers credit card
information. This company saw over 45 million credit and debit card numbers being lost thus
leading to a huge amount of fraudulent transactions because of weak security systems in at least
a single store. The result of this was loss of trust that customers had on the store, something that
TJX is a company that operates more than 800 stores in the United States. They are
successful, and part of that success could be attributed to the fact that they had embraced
technology which they used to make their work more efficient. They used this technology within
their stores, however, in January 17, 2007, the company announced that their system had been
compromised and their customers credit card data had been stolen (Schuman, 2007). The
consequences of this was seen on their stock prices which plummeted by 10 percent in the days
that followed.
This breach happened in one of their sites that is located near St. Paul in Miami. It is
stated that in July 2005, hackers had started accessing local computer system in this store in
order to get access to the whole TJX network (McMillan, 2008). This store utilized a price
checking device that was wireless in order to reduce the amount of wires that were being used in
the store. The data that was submitted was then received by a server that required employee log
in. In the initial phase of this theft, it is said that the hackers streamed data to their laptop by
using antennas to catch the radio during peak hours. At that moment their identity was still
SECURITY BREACHES 3
unknown, but people suspected that they were hackers hailing from Romania based on the style
The source of this breach has not yet been determined, but there are conflicting accounts.
One is the one stated where it is believed that hackers took advantage of the system that was
poorly encrypted and stole the payment cards information during a wireless transfer between two
stores in Miami, Fl (Bradner, 2007). The other account alleges that the hackers broke into their
network through the in-store kiosk where people could apply for a job electronically. It is argued
that there is a possibility that there was no firewall in the TJX network to protect it from being
hacked (Schuman, 2007). Albert Gonzalez was the hacker behind those hackings, and he was
convicted and sentenced to two 20 years terms in prison, 11 other people were also arrested in
In order to understand how this hacking occurred, there is need to look at the technical
background of the system used by TJX. During that time, there were two important standards
that they dealt with wireless encryption; the first standard was the Wired Equivalent Privacy
(WEP) Standard that was brought forward in 2000 while the second one was WiFi Protected
Access (WPA) developed in 2003 brought forward three years later. Several WEP could be easily
hacked, and due to this reason WPA standards were developed (The TJ Maxx, n.d). This standard
does not only have a better system of authentication and better encryption, it also provides its
user with a higher payload integrity (Cereola, & Cereola, 2011). However, in order for this
higher security to be achieved, there I need to use appropriate software and devices. The
unfortunate thing is that TJX had failed to upgrade their system to this new standard, WPA (The
TJ Maxx, n.d). Moreover, the store that was located near ST. Paul had not installed as well as
configured the whole security software as it was expected. The result of this is that the hackers
SECURITY BREACHES 4
managed to access the local system easily where they were able to create their own user accounts
Managers of every local store had been given access to the central database since they
had to synchronize the data of each store with the whole company (The TJ Maxx, n.d). Some of
the information that was contained in this data were contact information as well as information
of the payment cards. The hackers were able to intercept all the data that had been processed in
the store during business hours (Xu, Grant, Nguyen, & Dai, 2008). This included the information
that was unencrypted during the process of payment cards approval. The hackers were also able
to create procedure in the companys database in order to back up the existing payment card
Among the measures that have been taken by TJX include adopting firewall and using the
latest systems that are more secure. However, the most important measure that they have taken to
comply with PCI security standards. The company was required to have complied with these
standards as early as 2004, but they were reluctant (The TJ Maxx, n.d). PCI standards needs
merchants to limit the amount of card information storage as well as the time in which his
References
Bradner S. (Jan 29, 2007). TJX security breach aftermath: a case study in what to do wrong.
breach-aftermath--a-case-study-in-what-to-do-wrong.html
Cereola, S. J., & Cereola, R. J. (2011). Breach of data at TJX: An instructional case used to study
COSO and COBIT, with a focus on computer controls, data security, and privacy
McMillan R. (May 27, 2008). TJX Staffer Sacked After Talking About Security Problems.
staffer-sacked-after-talking-about-security-problems.html
Schuman, E. (2007).The TJX Data loss and security breach case. Retrieved from
http://sydney.edu.au/engineering/it/courses/info5990/Supplements/Week07_Malware
%26Security/Supp07-4TJXCaseDetails.pdf
http://tlotzke.myweb.usf.edu/tjx_creditcard.pdf
Xu, W., Grant, G., Nguyen, H., & Dai, X. (2008). Security Breach: The Case of TJX Companies,