TJX Security Breach
Security breaches to information systems especially computers is an ever present risk which should not be ignored. Such breaches bring a lot of adverse impact to the organisation’s operation as well as complete failure. Security measures that uphold safety of data and tools of an organisation should be of focus.
Areas that require attention:
The TJX security breach would have not been as bad had there not been errors performed by people. One of them was the fact that the company kept too much personal information. It was used in business transactions (Ivey, 2008). The “Framingham system” processed and stored information pertaining to debit and credit card, cheque and unreceipted merchandise-return transactions for customers of T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the United States and Puerto Rico, and of Winners and HomeSense stores in Canada.
The “Watford system” managed and kept data on payment and card operations at the T. K. Maxx. The data that is acquired from the Framingham model which were kept in the US and other countries were related to the earnings of the tools that did not have receipts and banking procedures (Ross and Weill 2002). The particulars involved the license and ID numbers as well as the titles and addresses of the clients that had their products turned back.
Work processes are also flawed and require attention because it relies too heavily on internal information systems for off-prices stores and staying competitive. This enables rapid delivery of data, facilitating quick decisions at different levels.
However, technological let-down is what needs to be taken keen consideration on. Taking to fact that we look into security lapse like hacking, there have to be some form of technological let down. If the system had improved its security measures this may not have taken place. The process of encryption needs attention in it cannot prevent decryption from external unauthorized sources. Wireless attack by use of hand held guns that tell the price of commodities capture the companies IP addresses (Ross and Weill, 2002). The USB drives contained a utility program that let the intruder or intruders take control of these computer kiosks and turn them into remote terminals that connected into TJX’s networks.
The security system used involved firewalls on the company’s network, this aspect was not meant to guide against traffic that originated from kiosks. More so, the drives that are applied are involved in connected the mice or other external devices. Processing logs also need an important look into because it has been noted that there are no processing logs to provide information about files on the system. For technology to show its use, it must show its compliance practises, something which is lacking (Ivey, 2008). The absence of network monitoring, the absence of logs and the presence of unencrypted data stored on the system plus the retention of years of customer data show a problem in auditing practices.
TJX can improve on several things especially on the various failure points. Those to do with the people at TJX and the decisions they make. All actions taken whether in the work process in the technology field require sound decision first. This can be through consulting especially with specialist who will best recommend steps to take. The company should also learn not to rely too much on electronic information systems to do various crucial interactions. In the case of in practicability in any other way, it would be essential to secure this form of interaction as TJX entirely relies on it (Ivey, 2008). The systems technology is what requires most intervention though. Old methods of encryption need to be replaced with new ones as hackers keep up with technology and TJX encryption processes was no match for the decryption process of the hackers. The same goes for the wireless connections but more back up security should be enhanced to counter ongoing hacking. This is because hacking through wireless connections can be detected in real time and can be predicted such as the peak sales period (Ross and Weill, 2002). The firewalls on TJX’s USB drives main network should be set to defend against traffic coming from the kiosks.
TJX should processing log data to provide forensic analysis about files in the system. Almost in line with the recommendation at the people level is compliance with regulations. It compliance obliged this kind of breach would not have taken place. TJX also has to start providing network monitoring, logs and had to get rid of unencrypted data in the system. Among the mentioned recommendations technological changes especially on encryption, wireless connections and auditing practices should be given immediate priority. Processing logs and compliance practices if applied over the long term will greatly reduce the risk of another breach.
TJX Security Breach could have been avoided
Ultimately had TJX taken more precaution, this would not have happened. Jeanne Ross and Peter Weill (2002) TJX was leading company very big and three times larger than its immediate competition. It also took home profits in its billion and a company like that out to have taken a step to prevent it (Simpson, et al, 2010). It also let down its loyal customers and was the innocent victims of incompetence. It can also be questioned why this had to happen to such a big company and not take place at others. It can be concluded that the risk of hacking was not regarded as serious and therefore TJX did not do much prevent it.
Decryption: Process of transforming an encrypted message into its original plaintext. Encryption: Transformation of data (called “plain text”) into a form (called “cipher text”) that conceals the data’s original meaning to prevent it from being known or used.
Ross, J. and Weill, P. (2002). “Six Decisions Your IT People Shouldn’t Make,” Harvard Business Review. Retrieved from: http://www.qualified-audit- partners.be/user_files/ITforBoards/GVIT_Harvard_Business_Review- Ross_Jeane___Weill_Peter_Six_IT_Decsions_Your_IT_People_Shouldnt_Make_200 2.pdf
Ivey (2008).Security Breach At Tjx. Richard Ivey School of Business: The University of Western of Ontario.
Simpson, M. T, Backman, K., and Corley, J. (2010).Hands-On Ethical Hacking and Network Defense. Connecticut: Cengage Learning.