Presentation is loading. Please wait.

Presentation is loading. Please wait.

MIS 5121: Real World Control Failure - TJX

Published byJeffrey Simmons Modified over 6 years ago

Similar presentations

Presentation on theme: "MIS 5121: Real World Control Failure - TJX"— Presentation transcript:

1 MIS 5121: Real World Control Failure - TJX
By: Victoria a. johnson

2 Background Founded in 1976, TJX was once considered the largest apparel and home fashions retailer in the US off-price segment. Ranked #138 in the Fortune 500 rankings for 2006. Reached $17.4 billion in sales for the year ending January 2007. Tripled in size to their closest competitor, Ross Stores Inc. Operated eight independent businesses with 2,400 stores and 125,000 associates. Sold branded merchandise at 20 and 70 per cent lower than department stores. Purchased merchandise directly from manufacturers at wholesale prices.

3 What Happened? On December 18, 2006, TJX detected the presence of suspicious software, altered computer files and mixed-up data. TJX brought in security consultants and notified law enforcement officials. All eight business within the United States, Puerto Rico, Canada and the United Kingdom had been breached. On February 21, 2007, TJX made a public announcement and acknowledged that their systems were first accessed back in July 2005. Payment card consumer data was believed to be stolen from their systems which included driver license numbers, identification numbers and in some cases included social security numbers. It was revealed that the cyber attack lasted for 1.5 years.

4 How It Happened? Research concluded that TJX systems had been intruded upon by multiple points of attack. These multiple points included: encryption, wireless attacks, USB drives stored at in-store kiosks, processing logs, and compliance and auditing practices. TJX central database in Framington was believed to be the source of the hack which allowed intruders to steal payment card data.

5 HIERARCHICAL CONTROL STRUCTURE
TJX HIERARCHICAL CONTROL STRUCTURE

6 How It Happened? Encryption Wireless attack
Credit cards couldn’t be processed when their numbers were encrypted so the intruders found a way to get the data during the window of processing time before it could be encrypted. Wireless attack Intruders focused on handheld (price check) guns and their interactions with database controllers which allowed them to obtain IP addresses. USB drives at In-store kiosks The intruders opened the back of the terminals and used USB drives to load software into the terminals.

7 Control Failures A failure to segment networks carrying cardholder data from the rest of TJX's network and the storage of prohibited data. More than 80GB of cardholder data was stolen. Failure to properly configure its wireless network. Failure to maintain adequate logs. Exposed data on nearly 94 million accounts Failure to employ sufficient measures to detect and prevent unauthorized access to computer networks or to conduct security investigations, such as patching or updating anti-virus software.

8 Outcomes A number of class action lawsuits were filed against TJX in US and Canadian courts. There were claims of negligence and related common-law and/or statutory causes of action stemming from the security intrusion. TJX violated 9 out of the 12 Payment Card Industry (PCI) data security controls. The Federal Trade Commission charged TJX with failure to provide reasonable and appropriate security for sensitive consumer information. The settlement reached requires TJX to implement a comprehensive information security programs and obtain audits by independent third party security professionals every other year for 20 years. 12 months after the breach, TJX disclosed that it spent or set aside $250 million in breach related costs which included fixing the security flaws and settling claims, lawsuits and fines. Settlements reached included free credit monitoring services for 3 years to consumer whose driver’s license numbers were revealed in the breach, plus cash reimbursements and vouchers.

9 What Could Have Been Done Differently?
TJX should have established stronger security standards which can include the following: Not using a decryption key from software vendor. Employing encryption at all points of transaction. Regular change keys. Preventing users from completing certain tasks in the database. Removing large amounts of sensitive information that have been available in the system for too long.

10 Sources security/t/encryption-faulted-tjx-hacking/ Have-Been-Avoided scrutiny-for-security-failures.html 12-pci-controls-at-time-of-breach--court-filings-say.html card-hacks/3.html Security Breach at TJX case, Ivey Management Services

Download ppt "MIS 5121: Real World Control Failure - TJX"

Similar presentations

CONFIDENTIAL 1 Preparing for & Maintaining PCI Compliance.

CONFIDENTIAL 1 Preparing for & Maintaining PCI Compliance.
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.

PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
2012, Team-Tiger- Northwestern McCormick MSIT 2013 Confidential 1 ©2011, Cognizant Northwestern McCormick MSIT- 2013 October 20 th, 2012 Information Security.

2012, Team-Tiger- Northwestern McCormick MSIT 2013 Confidential 1 ©2011, Cognizant Northwestern McCormick MSIT October 20 th, 2012 Information Security.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Chapter 10: Auditing the Expenditure Cycle

Chapter 10: Auditing the Expenditure Cycle
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.

GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
Security Analysis and Recommendations. PB’s&J Presenters & Topics David Bihm User Account Management Nathan Julson Data Classification Firewall Architectures.

Security Analysis and Recommendations. PB’s&J Presenters & Topics David Bihm User Account Management Nathan Julson Data Classification Firewall Architectures.
Ryan Paulsen Chris Lafferty Nilesh Nipane.  Intruders gained access to credit card information between 2005-2007  ~50 million credit card and debit.

Ryan Paulsen Chris Lafferty Nilesh Nipane.  Intruders gained access to credit card information between  ~50 million credit card and debit.
Why Comply with PCI Security Standards?

Why Comply with PCI Security Standards?
Northern KY University Merchant Training

Northern KY University Merchant Training
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
SMARTER. TOGETHER. Skimming Prevention: Overview of Best Practices August 5, 2014.

SMARTER. TOGETHER. Skimming Prevention: Overview of Best Practices August 5, 2014.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.

An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.

Similar presentations

Ads by Google