Professional Documents
Culture Documents
HomeSense, AJWright, KMaxx, HomeGoods and Winners to name just a few. In December
2006 a data breach was detected in the computer systems that process and store transactions
including credit card, debit card, check and merchandise return transactions (PRC). This breach
was originally thought to have taken place in May of 2006 but was not discovered until
December of 2006. After hiring IBM and General Dynamics to investigate the breach, TJX
revised its dates saying it believed the breach went as far back as July 2005 (Comp).
Unfortunately with many data breaches and the way hackers infiltrate a system it is hard
to discern when exactly the attack originated. With many attacks, hackers will make their way
into the system only to harden it and take it over so that only they can get into the system. Thus
they actually will fix the system but leave enough backdoors so that they can still enter and exit
the system without anyone noticing what has happened. When leaving backdoors, hackers are
essentially installing root kits, and backdoor openings or software to allow them full access to the
system to enter and exit. Once in the system many hackers will escalate privileges to give
themselves full administrative rights which will them allow them not only access to that one
Like many corporations security was not necessarily an expenditure that was needed and
not to be fully funded or part of the everyday working environment. Security was just something
that you did just enough and it was more of a hindrance and a cost to the bottom line. This line
This data breach was allowed to occur due to the outdated wireless security encryption
system, the lack of firewalls and data encryption software on computers using the wireless
2
network and lastly an additional layer of security software that was purchased but not installed.
The thieves were able to access the data that was streaming between hand-held price-checking
devices, cash registers, and the store’s computers. Through the use of SQL injections much of
the data was farmed out of the TJX systems and later sold to cyber criminals in Eastern Europe
This was the biggest loss of personal data to include credit card numbers in history. The
numbers totaled 45.6 Million card numbers (Comp) over a period of 18 months by an unknown
number of intruders. In addition data for about 451,000 individuals in 2003 who had
merchandise returned without receipts was also stolen. Many banks and credit unions around the
United States had to block and reissue thousands of payment cards as a result of the data breach
(Comp). Due to the nature of the data stolen, it is hard to know exactly the true extent of the
type of data stolen as TJX does not maintain a lot of the information that is processed during the
transactions (Comp). The use of the data has led to the millions of dollars in lost revenue by
Some of the information security laws that TJX broke or did not follow was the Safe
Harbor regulations which require the privacy of data. This was not accomplished as their
wireless system was not properly encrypted and hackers could just drive by and steal data of a
personal nature without any regard. By not meeting the European Commission’s standard for
privacy this again broke the law between this regulation and what TJX was doing while engaging
in business.
Another regulation that was broke during this breach was Graham-Leach-Bailey Act
(GLBA). TJX broke this regulation by not implementing the software that would have mitigated
3
the risk of this hack and data breach. Had the software been in place there is a good chance this
may have never occurred. Along with having the software installed, TJX would then be
following GLBA in having a robust Information Security Program that is aligned to the risks that
Two of the major regulations for corporations were broke or just not followed. Once
again ignorance of the regulations and rules to be followed allowed something bad to happen.
When corporations start enforcing and get senior management buy in to fund and properly put in
place a information security program then data breaches like the TJX breach will be minimized
The resolution for this situation was at the cost of over $200 Million dollars to all parties
involved. Many retailers had to sue to get lost revenue back and still they were not able to
recoup all of the lost revenue. Many lending institutions had to block payment cards and reissue
them. People were prone to identify theft and having their credit ruined due to false purchases
and lack of payment for those purchases. TJX was forced to ensure that their security systems
were brought up to current standards and they were watched for some time to ensure that
standard was being maintained. In addition, TJX was forced to hire some of the best consultants
In conclusion, TJX to this day is still settling lawsuits from this data breach that occurred
in 2005. As late as July 8, 2010 TJX settled its latest lawsuit with the Louisiana Municipal
Police Employees’ Retirement System, who is a shareholder of TJX stock. They settled for
$595,000 in legal fees and enhanced oversight of customer files (PRC). Totals for this data
breach alone are staggering, with upwards of 100 Million people affected and up to nearly $10
4
Million spent by TJX in payouts for lawsuits (Westervelt). This data breach has led to many
advancements in the consumer industry with credit card security, online payment and transaction
security, identity theft protection and also a general heightened awareness of how technology has
advanced but so has the ability to have information stolen in this day and age.
5
Bibliography
Kairab, S. (2005). A Practical Guide to Security Assessments. Washington DC: Auerbach.
Various. (2010, September). Privacy Rights Clearinghouse - TJX Data Breach. Retrieved
February 10, 2011, from Privacy Rights Clearinghouse:
http://www.privacyrights.org/ar/ChronDataBreaches.htm
Vijayan, J. (2007, March 29). TJX Data Breach: At 45.6M card numbers, it's the biggest ever.
Retrieved February 11, 2011, from ComputerWorld:
http://www.computerworld.com/s/article/9014782/TJX_data_breach_At_45.6M_card_numbers_
it_s_the_biggest_ever
Westervelt, R. (2009, June 24). TJX to pay $9.75 million for data breach investigations.
Retrieved February 11, 2011 from SearchSecurity.com:
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1360065,00.html