Using a method that assesses maturity based on multiple maturity areas.

1a. Recognize the maturity level of the organization in the information below about TJ Maxx.

1b. Recognize the weakest and most developed maturity areas.

Explain details of your scoring areas in your response.

Data Security at TJX

In November 2005 Fidelity Homestead, a savings bank in Louisiana, began noticing suspicious charges from Mexico and southern California on its customers credit cards. More than a year later, an audit revealed peculiarities in the credit card data in the computer systems of TJX Companies, an international retailer of apparel and home fashions.

TJX delayed announcement of the intrusion until January 2007, when it admitted that hackers had compromised nearly 46 million debit and credit card numbers, the largest-ever data breach in the United States.

In the summer of 2007 officials gained access to a suspects hard drive in Turkey and identified the program on the drive as the same one used in the TJX intrusion. Messages between the suspect and his affiliates in the United States linked the crime to a well-known hacker whose username, Soup Nazi, referenced a character from the American television show Seinfeld. The Secret Service knew the username well. Albert Gonzalez, had been arrested in 2004 as part of the Secret Services Operation Firewall, a major investigation into a global network of credit card fraud.

Following TJXs announcement of the data loss, affected parties filed lawsuits in an attempt to recoup their costs. The question of liability was complicated because there were no laws defining who was liable when a retailer that was not in compliance with PCI DSS lost credit card data. Under current law, financial institutions (FIs) that issue the debit or credit cards often ultimately wind up footing the bill for both fraud-related losses and costs of issuing new cards and/or accounts for their customers . . . . FIs have also been involved in lobbying efforts designed to statutorily shift fraud losses and associated costs away from FIs to the entities actually responsible for the data security breach. A legal fight is brewing in both the courts and legislatures over who will ultimately bear the losses of identity theftrelated fraud.

Impact

In 2009 the average total cost to a merchant for a data breach was $6.75 million, or $204 per compromised record. At that rate the cost to TJX of 46 million compromised records would have exceeded $9 billion. Through the end of 2009 TJX reported expenses and reserves for probable losses of $171.5 million.

Lesson Learned? In May 2008 information about TJXs network security appeared on an Internet forum. A TJX employee revealed that blank passwords could be used on the companys servers and that the servers were always in administrator mode, making it easy for hackersor store employeesto have escalated privileges on the system once they entered it.21 The employee alleged he brought the security problems to the attention of his store manager before he chose to blog about it.