Case Study: TJ Maxx’s Data Breach
Information technology (IT) is a critical aspect of running any type of organization. IT is what allows valuable information, or assets, to move around and between entities. Protecting that IT infrastructure and the associated data it processes is especially important and becoming harder every day. Organizations are constantly under threat of attack from cyber criminals (Naseer et al., 2021).
This article will examine one case where failing to protect data assets was clear: the 2007 data breach of TJX. It will summarize the data breach and how TJX handled the breach’s discovery, including how TJX dealt with the public, its customers, federal regulators, and law enforcement. This article will then discuss what cybersecurity practices TJX had in place at the time of the attack and the significant outcomes from the data breach.
Overview of the TJX Data Breach
TJX is a large multinational clothing and home goods retailer operating several brands of stores in the United States, Canada, and Europe. According to Cereola and Cereola (2011), TJX made a significant investment in its information systems and used these IT elements to operate its business effectively and efficiently. However, in 2007, TJX disclosed to the public it was the victim of a data breach. Criminals stole over 45 million credit and debit cards, making it one of the largest data breaches at the time (Weiss & Solomon, 2016).
TJX’s Handling of the Incident
After an investigation (both internally and via outside firms), TJX determined it had threat actors inside its IT systems for nearly 18 months: from July 2005 through December 2006 (Cereola & Cereola, 2011). TJX reported the data breach to federal law enforcement and financial regulators in the winter of 2006 (Cereola & Cereola, 2011 and Weiss & Solomon, 2016). TJX reported its data breach to the public in January 2007 (New Hampshire Department of Justice, 2007). Ultimately, the US Federal Trade Commission (FTC) filed a complaint against TJX alleging the company stored personal data in clear text and transmitted data between and within the business and company networks, generating unnecessary risks to personal customer data; having no existing security measures to restrict wireless access to its network; failing to make use of existing security measures to restrict access between the computer and the Internet; and failing to take adequate measures to detect and prevent unauthorized access (Docket C-072 3055, 2008b).
Incident response is a crucial component of any cybersecurity program. TJX should review cybersecurity events via an incident response team as part of its multi-layered for protecting its information systems and assets (Naseer et al., 2021). To be effective, the incident response element at TJX should be able to “detect, analyze, eradicate, and recover from potential cybersecurity incidents in a timely and cost-effective manner” (Naseer et al., 2021, p.1). TJX failed in incident response and basic vulnerability management because the threat actor went undetected in TJX’s systems for 18 months.
TJX Practices at the Time of the Attack
TJX, as the FTC (2008b) states, had many insufficient and egregious practices at the time of the data breach that directly led to the attack. One of these was the storing of too much consumer data for unnecessarily long periods. This was also a violation of the Payment Card Industry Data Security Standards (PCI-DSS) which are an attempt at self-regulation by the major credit card vendors in order to “implement standards for security policies, technologies and ongoing processes that protect their payment systems from breaches” (PCI Security Standards Council, 2021, para. 4). TJX needed to adhere to these standards as a condition of accepting credit and debit card payments.
Specifically, Requirement 3.2 of the PCI-DSS standards requires that entities neither store cardholder data unless it is strictly necessary nor store data from the magnetic stripe or chip on credit or debit cards after use (PCI Security Standards Council, 2018). TJX violated both concepts, according to Berg et al. (2008). Beyond making it easier for criminals to get the data, the German Federal Cartel Office has ruled excessive data storage as causing large societal harms by being anti competitive (Witt, 2021).
Besides the above violation, TJX breached other basic cybersecurity ideas. For example, Berg et al. (2008) note that TJX was using an encryption standard that researchers previously identified as vulnerable (Cam-Winget et al., 2003 and Fluhrer et al., 2001). This clearly violated PCI-DSS Requirement 4.1, which says payment processors like TJX are to “[e]nsure wireless networks transmitting cardholder data or connected to the cardholder data environment use industry best practices to implement strong encryption for authentication and transmission” (PCI Security Standards Council, 2018, p. 16). TJX stored credit and debit card data in plaintext, i.e. TJX did not encrypt this information (Berg et al., 2008). Again, TJX violated PCI-DSS Requirement 3.4 for making sensitive data unreadable (PCI Security Standards Council, 2018). If TJX had taken this action, they would have made the data unusable by criminals.
Effects of the Data Breach on TJX
The FTC ordered TJX to appoint a cybersecurity officer, identify “specific administrative, technical, and physical safeguards” (Docket C-072 3055, 2008a, p. 4), and certify their new cybersecurity program was operating efficiently each year for the next twenty years. In addition, TJX paid significant sums of money to settle issues with the credit card companies (nearly $41 million to VISA, $24 million to MasterCard), and attorneys general of multiple states to prove their IT systems were secure and pay restitution to affected customers for direct harm and for credit monitoring (Cereola & Cereola, 2011). The total cost of the data breach to TJX exceeded $250 million (Kerber, 2007).
TJX’s data breach in 2007 doesn’t even rank in the top 15 of data breaches now (Hill & Swinhoe, 2021). It was a watershed moment for cybersecurity in organizations when it occurred, however. While TJX did all the right things from a post-incident standpoint (investigating internally, hiring outside experts, and informing the public, law enforcement, and regulatory agencies), those actions do not obscure the weak cybersecurity practices in place pre-breach. TJX’s poor cyber hygiene around critical assets (arguably their crown jewels: customer data) including the lack of a viable incident response capability and the fact that they were unable to detect these issues early on warranted the financial penalties they suffered and the FTC’s judgement against them.
Berg, G. G., Freeman, M. S., & Schneider, K. M. (2008). Analyzing the TJ Maxx data security fiasco: lessons for auditors. The CPA Journal, 34–37.
Butts, T. (2021, September 16). Exhibitors, attendees react to nab show cancellation. TVTechnology. Retrieved September 16, 2021, from https://www.tvtechnology.com/news/exhibitors-attendees-react-to-nab-show-cancellation.
Cam-Winget, N., Housley, R., Wagner, D., & Walker, J. (2003). Security flaws In 802.11 data link protocols. Communications of the ACM, 46(5), 35–39. https://doi.org/10.1145/769800.769823
Cereola, S. J., & Cereola, R. J. (2011). Breach of data at TJX: An instructional case used to study COSO and COBIT, with a focus on computer Controls, data security, and privacy legislation. Issues in Accounting Education, 26(3), 521–545. https://doi.org/10.2308/iace-50031
Docket C-072 3055 (Agreement containing consent order), Proceedings FTC.gov (US Federal Trade Commission 2008a). Retrieved September 15, 2021, from https://www.ftc.gov/sites/default/files/documents/cases/2008/03/080327complaint_0.pdf.
Docket C-072–3055 (In the Matter of the TJX Companies, Inc.), Proceedings FTC.gov (US Federal Trade Commission 2008b). Retrieved September 15, 2021, from https://www.ftc.gov/sites/default/files/documents/cases/2008/08/080801tjxdo.pdf.
Fluhrer, S., Mantin, I., & Shamir, A. (2001). Weaknesses in the key scheduling algorithm of RC4. Selected Areas in Cryptography, 1–24. https://doi.org/10.1007/3-540-45537-x_1.
Hill, M., & Swinhoe, D. (2021, July 16). The 15 biggest data breaches of the 21st century. CSO Online. Retrieved September 16, 2021, from https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html.
Kerber, R. (2007, August 15). Cost of data breach at TJX soars to $256m. Boston.com. Retrieved September 16, 2021, from https://tinyurl.com/yw22cx9c.
Naseer, A., Naseer, H., Ahmad, A., Maynard, S. B., & Masood Siddiqui, A. (2021). Real-time analytics, incident response process agility and enterprise cybersecurity performance: A contingent resource-based analysis. International Journal of Information Management, 59, 1–10. https://doi.org/10.1016/j.ijinfomgt.2021.102334.
New Hampshire Department of Justice. (2007, January 17). The TJX Companies, Inc. victimized by computer systems intrusion; provides information to help protect customers. Consumer Protection Bureau. Retrieved September 15, 2021, from https://www.doj.nh.gov/consumer/security-breaches/documents/tjx-20070117.pdf.
PCI Security Standards Council. (2018). PCI DSS Quick Reference Guide. Wakefield, MA; PCI Security Standards Council.
PCI Security Standards Council. (2021). Official PCI security Standards Council site — VERIFY PCI Compliance, download data security and credit card security standards. PCI Security . Retrieved September 16, 2021, from https://www.pcisecuritystandards.org/pci_security/.
Weiss, M. M., & Solomon, M. G. (2016). Auditing It infrastructures for compliance (2nd ed.). Jones and Bartlett Learning.
Witt, A. C. (2021). Excessive data collection as a form of anticompetitive conduct: the German Facebook case. The Antitrust Bulletin, 66(2), 276–307. https://doi.org/10.1177/0003603x21997028.