분야
docx∙Responses of case questions
1. List and describe the security controls and weaknesses at TJX Companies
2. What people, organizations, and technology factors contributed to these weaknesses?
3. What was the business impact of TJX’s data loss on TJX, consumers, and banks?
4. How effectively did TJX deal with these problems?
∙Conclusion
and weaknesses at TJX Companies
TJX used Wired Equivalent Privacy (WEP) encryption system which was easy for hackers to attack. Furthermore, TJX had neglected to install firewalls and data encryption on many of the computers in the wireless network. Besides, TJX transmitted credit card details to banks without encryption, violating credit card company guidelines. Retailers are not supposed to store certain type of cardholder data but TJX stored that data that also for a long period of time.
Security was so lax at the TJ Maxx outlet located in Lawrence, Kansas, that employees were able to log onto company servers using blank passwords, the fired employee, Nick Benson, told The Register. This policy was in effect as recently as May 8, more than 18 months after company officials learned a massive network breach had leaked the details of more than 94 million customer credit cards. Benson said he was fired on Wednesday after managers said he disclosed confidential company information online.
Other security issues included a store server that was running in administrator mode, making it far more susceptible to attackers. He said he brought the security issues to the attention of a district loss prevention manager name Allen in late 2006, and repeatedly discussed them with store managers. Except for a stretch when IT managers temporarily tightened password policies, the problems went unfixed.
"I was basically hitting a glass wall," said Benson, a 23-year-old freshman at the University of Kansas who worked at TJ Maxx beginning in October 2005. "Not one single thing was done. My store manager even posted the password and username on a post-it note. I told her not to do that."
