The TJX Breach – Do Not Cut Corners When It Comes To Security. Be Cyber Vigilant.
TJX Companies Inc. (TJX) is a leading off-price apparel and home fashions retailer and owner of a number of retail brands, including T.J.Maxx, Marshalls and Bob’s Stores. TJX suffered from a major security breach from 2005 to 2007. Over the span of 18 months starting from July 2005, 45.6 million credit and debit card numbers were stolen from its systems. In addition, personal data provided in connection by about 451,000 individuals was also stolen.
The impact of the data breach was huge with not only TJX’s customers of retail stores in the U.S., Puerto Rico, U.K being affected; several banks and credit unions were implicated and had to block and reissue thousands of payment cards.
Who and how?
11 members of the Gonzalez gang, named after the leader Albert Gonzalez, was charged responsible for the attack.
The hackers first gained access to the TJX network in July 2005 by breaking into the poorly protected wireless LANs at 2 Marshalls( TJX’s retail store) stores in Miami. They then installed a sniffer program that could recognize and capture sensitive cardholder data as it was transmitted over the company’s networks unencrypted. They actually replaced the store’s PIN-pad terminal with an identical device that had been electronically altered to capture customers’ account numbers and PINs. After a few days has passed, they then returned to collect the device with all the sensitive information stored inside. They collected transaction data, including credit-card numbers, in approximately 100 large files.
The hackers operated systematically in an organised fashion. They first cracked the WEP encryption protocol used to transmit data between price-checking devices, cash registers and computers at a store in Minnesota and collected information submitted by employees when they logged on to the company’s central database in Massachusetts. This allowed them to steal employees’ usernames and passwords. Following which, with that information, they then set up their own accounts on TJX’s system and intercepted unencrypted transaction data TJX sent to banks. The hackers even left encrypted messages on the TJX network to communicate with their team as to which files had been copied, using the TJX network as their own personal message board.
- Wakeup call for the management level to focus on IT security
Spending money on IT security is a business decision rather than a technology issue. An email from the Chief Information Officer of TJX revealed that TJX was more concerned with saving money and skipping auditing requirements rather than increasing security.
Decision makers not only have to be aware of the security risks involved in operations but also make a committed and focused effort to ensure the information they possess is protected and secure. All levels of the organisation have to be committed and determined to safeguard the sensitive information they possess. This is an ethical obligation they have to their consumers, employees and partners.
- Importance of having adequate physical security infrastructure and software systems
TJX had secured its wireless network using Wired Equivalent Privacy (WEP) — one of the weakest forms of security for wireless LANs. This improperly secured Wi-Fi network at its retail outlets became a vulnerability point through which hackers were able to assess the network. It is strongly recommended to use Protected Access Wi-Fi for all physical locations through which may serve as an entry point to the core network.
Another vulnerability identified is that of the poorly secured in-store computer kiosks TJX had in their stores. TJX allowed for the public to apply for jobs online using the kiosks, meaning that these kiosks became possible gateways to the company’s IT systems. It was also revealed that hackers used USB drivers located at the back of these kiosks to load software and that the firewall was not strong enough to defend against the malicious traffic coming. USB access to all in-store kiosks or tablets must be disabled. These devices should also be locked down so that customers cannot open or assess any other applications on them. In addition, strong firewalls and adequate network segmentation is critical to prevent unauthorized access between systems.
- Crucial to have and implement cyber security protocols and practices
TJX did not have the log data needed to do a proper forensic analysis of the incident and ended up losing the tell-tale tracks left behind by computer intrusions. Having log monitoring and doing log analysis to detect anomalies will aid in system recovery and post-attack assessments and reviews to better identify potential vulnerabilities.
It is also recommended to review the defences of applications and systems periodically by having tests for potential SQL injection-related weaknesses and having white-hat hackers attempt to penetrate the system. This will allow the organisation to detect potential weaknesses in the systems and fix these loopholes before actual hackers detect and exploit them.
Retailers typically track many sensitive data in their systems and it is imperative to have proper storage of information, encryption and access controls and firewalls. Also, all unnecessary customer’s information saved on its systems should be thoroughly destroyed to prevent exploitation.
- Importance of cyber vigilance
Employees at TJX were not vigilant enough to prevent unauthorized access to terminals.
None of the staff noticed that the PIN pad terminal device had actually been replaced.
Staff have to be trained and educated on the importance of cyber awareness and vigilance. They should be made aware not to leave terminals unattended, connect their personal devices to in-store network or computers or access other non-work related sites from in-store computers.
Financial and reputational losses
TJX is estimated to have incurred about $250 million over the span of a year in breach-related issues such as fixing the security flaws and dealing with claims, lawsuits and fines that followed the breach.
TJX was sued by one of their shareholders, Arkansas Carpenters Pension Fund and the Massachusetts Bankers Associations (MBA) in restitution for banks that were forced to block and reissue thousands of debit cards following the breach.