Analysis of the TJX Breach

TJX’s major security incident began in mid-2005. When examining the 10k filings from this year, particularly section 9a, it is easy to see that there was definitely some emphasis made on controls during this time. With that said, this set of internal controls applied only to the process of financial reporting, and in the 10k’s for both years, the CEO and CFO (along with other management) declared that the firm’s internal controls were sufficient based on the Internal Control — Integrated Framework published by COSO. This is a relatively standard inclusion in the 10k reports from 2005–2009; similar writings are seen in sections 9a and the Report of Independent Registered Public Accounting Firm sections throughout the years.

A notable characteristic of PricewaterhouseCoopers’ report is that it mentions three responsibilities that a firm has in creating controls for financial reporting, and the third of three listed responsibilities is that the firm must “…provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets that could have a material effect on the financial statements”. According to the case, the incident (which lasted many years) cost TJX a pre-tax value of $231m, which is incredibly significant. This, along with the 94m credit card holders’ information that was taken leads to my problem with both the management of the firm and PwC’s exemption of it. It states in the case that the firm did what it could as soon as it found evidence of a hack, even going as far as reporting it to the authorities as soon as possible. But, this doesn’t mean that the firm had taken the proper precautions to prevent a crisis not only for the firm’s financial statements, but also its customers’ information.

This point is further pushed when looking at the 2008 10k, where under the company overview, TJX states that “The efficient operation of our business is dependent on our information systems, including our ability to operate them effectively and to successfully implement new technologies, systems, controls and adequate disaster recovery systems. In addition, we must protect the confidentiality of data of our Company, our associates, our customers and other third parties.” There is a big paradox here — even though there is a distinct understanding of the impacts an intrusion can have and a good change in the way upper management of the firm approaches IT integrity through the years (particularly after 2007), there isn’t any change made to controls over financial reporting at any point in time. In fact, in 2009, section 9a states specifically “…projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate”, and this seems to be the only major change in the ethos around financial statements and the controls made by the firm to improve their integrity.

After reading through the relevant information in the 10k documents from 2005–2009, it seems that TJX knew what it was doing, but did not do enough. There was no year in which the firm failed an audit based upon COSO’s Integrated Framework guidelines, as is evident in evaluations made by both PwC and TJX’s upper management. This didn’t mean much within the context of the crisis, though, as the firm ended up with heavy losses both financially and in the public eye. I can say that the general thought processes employed by upper management definitely changed positively, the firm wasn’t in a good position to start with (courts showed that TJX did not have necessary log information about at risk credit cards, failed nine out of 12 control requirements for PCI DSS, had old and unencrypted data that was no longer being used by the organization, and had auditors that didn’t account for a lack of compliance 3 PCI DSS control requirements). The case ends with the first day of work creating controls and filling gaps in risk mitigation by Michel, but in the context of the incident as a whole (from its inception in 2005 to when the case ends in 2007), it seems like TJX is in a “too little too late” situation for its security controls and risk mitigation policies, regardless of how many financial audits it passed.