Imagine being the chief information officer (CIO) of one of the largest department store chains in...
Fantastic news! We've Found the answer you've been seeking!
Question:
Transcribed Image Text:
Imagine being the chief information officer (CIO) of one of the largest department store chains in the United States. Now imagine your CEO publicly announces that the company has just become the victim of the largest known theft of credit card data in history. This is a nightmare situation for any IT security professional, and this is what happened to the TJX Companies. The TJX Companies, Incorporated is a large off-price retailer of apparel and home fashion. The company operates under several brands, including T.J Maxx and Marshalls. On January 17, 2007, TJX announced it had become a victim of an intrusion into portions of its information systems that process and store customer transaction data. An unauthorized intruder first accessed systems in July 2005, an unauthorized access continued through mid-January 2007. On December 18, 2006, TJX discovered suspicious software on its systems and immediately initiated an investigation along with leading computer security firms. Within few days, TJX has notified law enforcement officials and met with the U.S. Department of Justice and the U.S. Secret Service to brief them on the discovery. Shortly thereafter, TJX notified contracting banks and payment card processing companies. Before the public announcement of the incident, the company has notified the U.S. Federal Trade Commission (FTC), the U.S. Securities and Exchange Commission (SEC), and the Canadian authorities. At the time, this had evolved into the biggest credit card breach in history. Conservative estimates initially put the number at over 45 million credit and debit cards breached, as well as the personal information of hundreds of thousands of customers including Social Security numbers and driver's license numbers. Although the exact details of the breach are not clear, what is known is that the breach initially occurred as a result of the attackers targeting the wireless network of one of TJX's retails stores. The wireless network used Wired Equivalent Privacy (WEP) as an encryption method, which even at the time has been proven inadequate. The alternative was Wi-Fi Protected Access (WPA), which was introduced to replace WEP. Once the attacker penetrated this weak link, the eavesdropped on usernames and passwords used to log on to TJX's main systems in Framingham, Massachusetts. Eventually, the attackers created their own accounts on the main system and collected sensitive data. In the aftermath, TJX has become the poster child for credit card breaches. The incident has also generated a lot of conversation and debate around adequate security controls for confidential personal information. Much of the blame for this incident was placed on the poorly secured wireless networks, but what type of defense in depth or compensating controls existed? The FTC charged TJX with failure to maintain proper security controls, specifically citing the lack of firewalls, wireless security, failure to patch vulnerabilities, and failure to update antivirus signatures. The following are the highlights of the fallout resulting from the breach. TJX: the company agreed to pay $9.75 million to settle state investigations. • The company settled with the FTC. As a result, TJX has to create a comprehensive security program to protect the confidentiality of . personal information it collects. In addition, TJX must submit to a third-party audit of the program every two years for the next two decades. The company settled lawsuits brought by consumers and banker groups. Customers were provided with a special, three-day sale and vouchers as a result of the settlement of class-action lawsuits. The company settled lawsuits brought by consumers and banker groups. Customers were provided with a special, three-day sale and vouchers as a result of the settlement of class-action lawsuits. • The company settled with Visa and MasterCard for almost $41 million. The company was required to implement a data-security program to ensure that this type of incident could never happen again. • The company offered three years of credit monitoring to about 450 000 people who needed to provide their driver's licenses for transactions that occurred in the stores. • The company set aside $250 million for breach-related costs. Many analyst believe this number could ultimately be much higher. TJX did not break any laws. It was simply not compliant with stated payment card processing guidelines. Court documents filed by the banks that sued TJX indicated that TJX did not comply with 9 of the 12 broad provisions within the standard established for the payment card industry. Although the breach has been costly for TJX, it is a multibillion dollar retailer that has survived and made appropriate adjustments. Smaller organizations, however might not survived. www Although it costs money to implement proper controls and procedures for compliance, noncompliance and security breaches have their own costs. You learned that fines can be levied for noncompliance but what about the costs of a breach? Forrester Research puts the cost per record breached at anywhere between $90 and $305, depending on the type of breach and how regulated the industry within which the breach occurs is. Consider the following categories from where costs can occur following breach: Discovery, notification, and response - legal counsel mailings, call center support, discounted product offers ● Lost productivity - employees' attention diverted or put on other tasks requiring attention Opportunity cost - loss of customers and attaining new customers Regulatory fines - FTC, PCI, Sarbanes-Oxley Restitution - Money set aside for payment • Additional security and audit requirements - those levied as a result of a breach • Other liabilities Answer the Questions for the Case Study. 1) Consider the reasons why TJX might have had the weaker WEP encryption configured. Was this internal standard? What could be the reason? List the possible reasons. 2) Do you feel that TJX properly handled the incident upon discovery of the breach? Consider how incident response procedures are important to the IT Security Program. . • 3) Had TJX collected and retained unnecessary personal data? What are the risks of holding onto data? 4) Did TJX understand where customer data resided, how it was transmitted, and whether it was encrypted? 5) If the data was encrypted, could the breach have been possible? 6) Were weaknesses and vulnerabilities within TJX discovered and documented through internal security assessments? Imagine being the chief information officer (CIO) of one of the largest department store chains in the United States. Now imagine your CEO publicly announces that the company has just become the victim of the largest known theft of credit card data in history. This is a nightmare situation for any IT security professional, and this is what happened to the TJX Companies. The TJX Companies, Incorporated is a large off-price retailer of apparel and home fashion. The company operates under several brands, including T.J Maxx and Marshalls. On January 17, 2007, TJX announced it had become a victim of an intrusion into portions of its information systems that process and store customer transaction data. An unauthorized intruder first accessed systems in July 2005, an unauthorized access continued through mid-January 2007. On December 18, 2006, TJX discovered suspicious software on its systems and immediately initiated an investigation along with leading computer security firms. Within few days, TJX has notified law enforcement officials and met with the U.S. Department of Justice and the U.S. Secret Service to brief them on the discovery. Shortly thereafter, TJX notified contracting banks and payment card processing companies. Before the public announcement of the incident, the company has notified the U.S. Federal Trade Commission (FTC), the U.S. Securities and Exchange Commission (SEC), and the Canadian authorities. At the time, this had evolved into the biggest credit card breach in history. Conservative estimates initially put the number at over 45 million credit and debit cards breached, as well as the personal information of hundreds of thousands of customers including Social Security numbers and driver's license numbers. Although the exact details of the breach are not clear, what is known is that the breach initially occurred as a result of the attackers targeting the wireless network of one of TJX's retails stores. The wireless network used Wired Equivalent Privacy (WEP) as an encryption method, which even at the time has been proven inadequate. The alternative was Wi-Fi Protected Access (WPA), which was introduced to replace WEP. Once the attacker penetrated this weak link, the eavesdropped on usernames and passwords used to log on to TJX's main systems in Framingham, Massachusetts. Eventually, the attackers created their own accounts on the main system and collected sensitive data. In the aftermath, TJX has become the poster child for credit card breaches. The incident has also generated a lot of conversation and debate around adequate security controls for confidential personal information. Much of the blame for this incident was placed on the poorly secured wireless networks, but what type of defense in depth or compensating controls existed? The FTC charged TJX with failure to maintain proper security controls, specifically citing the lack of firewalls, wireless security, failure to patch vulnerabilities, and failure to update antivirus signatures. The following are the highlights of the fallout resulting from the breach. TJX: the company agreed to pay $9.75 million to settle state investigations. • The company settled with the FTC. As a result, TJX has to create a comprehensive security program to protect the confidentiality of . personal information it collects. In addition, TJX must submit to a third-party audit of the program every two years for the next two decades. The company settled lawsuits brought by consumers and banker groups. Customers were provided with a special, three-day sale and vouchers as a result of the settlement of class-action lawsuits. The company settled lawsuits brought by consumers and banker groups. Customers were provided with a special, three-day sale and vouchers as a result of the settlement of class-action lawsuits. • The company settled with Visa and MasterCard for almost $41 million. The company was required to implement a data-security program to ensure that this type of incident could never happen again. • The company offered three years of credit monitoring to about 450 000 people who needed to provide their driver's licenses for transactions that occurred in the stores. • The company set aside $250 million for breach-related costs. Many analyst believe this number could ultimately be much higher. TJX did not break any laws. It was simply not compliant with stated payment card processing guidelines. Court documents filed by the banks that sued TJX indicated that TJX did not comply with 9 of the 12 broad provisions within the standard established for the payment card industry. Although the breach has been costly for TJX, it is a multibillion dollar retailer that has survived and made appropriate adjustments. Smaller organizations, however might not survived. www Although it costs money to implement proper controls and procedures for compliance, noncompliance and security breaches have their own costs. You learned that fines can be levied for noncompliance but what about the costs of a breach? Forrester Research puts the cost per record breached at anywhere between $90 and $305, depending on the type of breach and how regulated the industry within which the breach occurs is. Consider the following categories from where costs can occur following breach: Discovery, notification, and response - legal counsel mailings, call center support, discounted product offers ● Lost productivity - employees' attention diverted or put on other tasks requiring attention Opportunity cost - loss of customers and attaining new customers Regulatory fines - FTC, PCI, Sarbanes-Oxley Restitution - Money set aside for payment • Additional security and audit requirements - those levied as a result of a breach • Other liabilities Answer the Questions for the Case Study. 1) Consider the reasons why TJX might have had the weaker WEP encryption configured. Was this internal standard? What could be the reason? List the possible reasons. 2) Do you feel that TJX properly handled the incident upon discovery of the breach? Consider how incident response procedures are important to the IT Security Program. . • 3) Had TJX collected and retained unnecessary personal data? What are the risks of holding onto data? 4) Did TJX understand where customer data resided, how it was transmitted, and whether it was encrypted? 5) If the data was encrypted, could the breach have been possible? 6) Were weaknesses and vulnerabilities within TJX discovered and documented through internal security assessments?
Expert Answer:
Answer rating: 100% (QA)
1 Possible reasons for having weaker WEP encryption Outdated Standards Its possible that WEP was part of the internal standard because the company had not updated its security protocols to use the mor... View the full answer
Related Book For
Core Concepts Of Accounting Information Systems
ISBN: 9780470507025
11th Edition
Authors: Nancy A. Bagranoff, Mark G. Simkin, Carolyn Strand Norman
Posted Date:
Students also viewed these finance questions
-
The chief information officer recommends that a new computer and software be purchased and installed at a cost $100,000. This investment will decrease manpower costs by $4 per chair and shipping and...
-
Two leading hotel chains in the United States are Starwood Hotels and Resorts (owners of Sheraton, Westin, etc.) and Hyatt. Selected financial data for these two close competitors are as follows:...
-
Hasbro, Inc., produces products under several brands including Transformers, Nerf, My Little Pony, and Monopoly. The following are several of the accounts from a recent balance sheet: 1. Accounts...
-
A UK company has a trading loss of 50,000 for the year to 31 March 2021. During the year, the company receives overseas property income (net of 40% withholding tax) of 12,000. Show the corporation...
-
Beginning in 2011, city hall, administrative offices, and municipal courts in the city of El Paso, Texas, will go on a 10 hour/day, 4-day workweek from the beginning of May through the end of...
-
What is a use case? How well does Microsoft Visio 2010 support modeling use cases?
-
Four emergency radios are available for rescue workers but one does not work properly. Two randomly selected radios are taken on a rescue mission. Let \(X\) be the number that work properly between...
-
Record the following transactions. 1. Pay employee salaries of $600 by issuing checks. 2. Purchase computer equipment of $1,000 using a credit card. 3. Pay for maintenance of $400 for a company...
-
The stock price of XYZ, Inc. will either rise by 35% or fall by 15% over the next three months. The current price of XYZ is $100 a share. The three-month risk-free interest rate is 2%. Note that...
-
1. Name at least three ways that Shu could automate her asset management. Suggest at least one option for retirement savings, general savings, and general convenience. 2. What major factors should...
-
Impact of theOngoing Civil Unrestin South Africaon Food andthe AgriculturalSector Certain areas within two South African provinces have been plunged into civil unrest following protests on the...
-
Who has the authority to admit patients to hospitals, and in most cases why do patients not have a right to be admitted?
-
Let \(T(n)=\sum_{k=0}^{n}(-1)^{k}\left(\begin{array}{l}n \\ k\end{array}ight)\). (a) Use Pascal's Triangle to compute \(T(n)\) for \(n=1,2,3,4\). (b) Prove that \(T(n)=0\) for all \(n \geq 1\)....
-
Consider the system shown in figure below. The value of \(K\) that contributes steady state error of \(20 \%\) to a unit step input, is (a) 2 (b) 100 (c) 20 (d) 4 R(S) K s+1 K 4s + 1 Y(s)
-
Distinguish between encapsulation and information hiding.
-
Explain what is meant by each of the following: (a) relevance; (b) faithful representation; (c) freedom from error (d) neutrality; (e) predictive value; (f) completeness; (g) comparability; (h)...
-
Two students N = {1,2} are involved in a team project. If both students devote more effort to the project, they are both better off. Specifically, an effort level is a nonnegative real number, and...
-
Explain the differences and similarities between fringe benefits and salary as forms of compensation.
-
Souder, Oles, and Franek is an international consulting firm headquartered in Chicago, Illinois. The Entity-Relationship diagram in Figure shows a simplified version of the companys process for...
-
What are data manipulation languages? How are these languages related to database management systems? How are these languages related to databases?
-
What is the process of normalization? What levels are there, and why do database developers seek to normalize data?
-
In phase II testing of a new drug designed to increase the red blood cell count, a researcher obtains envelopes with the names and addresses of all treated subjects. She wants to increase the dosage...
-
A clinical trial of a new drug designed to treat hypertension (high blood pressure) is designed to last for three years, but after the first year it becomes clear that the drug is highly successful....
-
A film critic for ABC News gives her opinion of the latest movie from Disney, which also happens to own ABC. Explain.
Study smarter with the SolutionInn App