Security Breach at TJX — Analysis

TJX failure points that require attention

The data breach at TJX had taken place through multiple points of attack, the breach revealed several security vulnerabilities which are discussed below:

Technology

TJX used Framingham system in US and Puerto Rico, Watford system in UK and Ireland to process and store debit and credit cards, cheque and unreceipted merchandise-return transactions of customers. The data was encrypted before it was stored using the encryption software WEP. Investigations revealed that the intruders had access to the decryption tool and that data was primarily stolen through a hacking technique called “skimming”. This involves stealing data during the payment card approval process, when data is transmitted to payment card issuers without encryption. Poorly secured in-store computer kiosks were also identified as failure points that led to the breach. TJX allowed people to apply for jobs electronically using the kiosks which ultimately acted as a gateway to the company’s IT systems. It was revealed that intruders used USB drivers located at the back of these terminals to load software and that the firewall was not strong enough to defend against the malicious traffic coming from the kiosks. Improperly secured WI-FI network was another failure point through which hackers decoded data streaming between hand-held devices and store computers and led to hacking of the central database. WSJ quotes “The $17.4-billion retailer’s wireless network had less security than many people have on their home networks, and for 18 months the company had no idea what was going on”.

Work Process

Initial press releases by TJX stated that 45 million payment cards where effected by the breach but fillings made in federal court of Boston arguing for a class action status showed that the effected numbers where as high as 94 million card holders. Michael Maloof, chief technology officer at Trigeo Network Security Inc says that “The large discrepancy between the numbers supplied by TJX and those from the banks suggest that TJX did not have the log data needed to do a proper forensic analysis of the incident”. All too often, he said, companies that don’t have processes in place for collecting and storing log data wind up losing the telltale tracks left behind by computer intrusions. Further supporting this theory is the investigation by Verizon Business RISK Team on breaches occurring from 2004 to 2008, which revealed, “66 percent of victims had sufficient evidence available within their logs to discover the breach had they been more diligent in analyzing such resources.”

People

Employees at TJX where not vigilant enough to prevent unauthorized access to terminals. Investigations had revealed that data thieves swapped the store’s PIN-pad terminal with an identical device that had been electronically altered to capture customers’ account numbers and PINs and that the thieves returned to the store, few days later to replace the original terminal, and made off with the altered one containing customers’ account information. All this went unnoticed by the staff. Further TJX was not practicing PCI standards regarding storage of information, encryption, access controls and firewalls.

Recommendations to improve IT security at TJX

According to Verizon Business Risk team, “The majority of breaches still occur because basic controls were not in place or because those that were present were not consistently implemented across the organization”. They add, “Most of these incidents do not require difficult or expensive preventive controls; mistakes and oversight hinder security efforts more than a lack of resources” (NetForensics, 2009). TJX has two distinct areas where they need to focus on: Short-term priorities and long-term plans to prevent another attack of this scale.

Short-term priorities

Short-term priority of TJX would be to identify all the security loopholes and tighten and improve the systems security. The following are some of the recommendations to improve their security in the short-term:

1) Replace existing Wireless Equivalent Privacy based wireless systems with Wi-Fi Protected Access.

2) Should not save the magnetic stripe contents of customers’ credit and debit cards. (PillsburyLaw, 2009)

3) Should purge all unnecessary customer’s information saved on its systems. Ashley Madison did not delete users data even after the users deleted the accounts and hackers were able to get access to the data. (Wired, 2015)

4) Should change encryption methodology of the data they are using to save personal identification information of their customers.

5) Should review what information gets collected from customers and not ask unnecessary information or not rely on driver’s license number or SSNs to uniquely identify the customers.

6) Should disable USB access to all in-store kiosks. Also should lock down the kiosks so that customers using the kiosks cannot open any other applications on them.

7) Have firewalls that segment the systems that contain sensitive information from other systems traffic and also have access controls in place to prevent unauthorized access to any system. The hack at Target occurred when HVAC system was able to connect to central Target systems. (BGR, 2014)

8) Should also review their ecommerce site to make sure it is secure and has no flaws like SQL injection attack. (Wired, 2015)

Long-term plan

TJX needs to realize that spending money on IT security is a business decision rather than a technology issue. Some of the recommendations to improve their systems security:

1) Have a process where they update all their critical software components and also apply any of the security patches released by the software vendors.

2) Hire white-hat hackers to detect loopholes in the systems and fix them before actual hackers detect and exploit them.

3) The current hack at TJX happened due to ineffective logging and also not monitoring the logs. Having log monitoring and doing log analysis to detect anomalies would greatly improve their system. There are many vendors providing such solutions and TJX should invest in it. Software like Fisheye and Splunk Prelert detect malware by analyzing logs at real-time.

4) Put in place a training program for all the associates to not leave terminals unattended, connect their personal devices to in-store network or browse web from in-store computers. Some of the biggest hacks occurred when the employees clicked on links in suspect emails resulting in letting an intruder into the system. (BGR, 2014)

5) Upgrade the POS systems to use “Chip-and-PIN” technology enabled card readers, which protect credit and debit cards. Majority of the retailers got hacked due to POS malware and having Chip and PIN enabled card readers would have protected them. (KasperskyLab, 2014)

TJX role in the security breach

A group of 11 people known as the Gonzalez gang named after the leader Albert Gonzalez was charged responsible for stealing more than 40 million credit and debit card numbers from Framingham, Mass.-based TJX and eight other retailers. These included some of the largest reported hacks of all time, including BJ’s Wholesale Club and DSW. The gang was from Miami, the same city where officials believe the TJX heist began, when hackers broke into the insecure wireless connections at two Marshalls locations. Although the hackers were the main cause for the breach, TJX was equally responsible. Ericka Chickowski, a journalist covering information technology and IT risk management says “The record-breaking breach suffered by the TJX Companies didn’t just happen — it was the result of conscious choices made by the retailer’s IT executives to risk not adopting security best practices, and regulators’ decisions to treat the retailer with kid gloves”. Even though PCI data security standards such as establishing a secure network, encrypting data during storage and transmission and well enforced access control measures were established by credit card processors in 2004, which is two years before TJX announced its data breach, TJX did not establish all the requirements for a long time. For instance, it was storing card numbers, expiration date and card verification value codes, all of which are prohibited by PCI. PCI also states to not rely on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN, it suggests the use of Wi-Fi-protected access (WPA or WPA2) technology, IPsec VPN, or SSL/TLS to encrypt transmissions. Instead of strongly enforcing the rules credit card processors like Visa gave TJX multiple passes. An email from the CIO of TJX that went public indicated that TJX was more concerned with saving money and skipping auditing requirements rather than increasing security. In the mail Butka had suggested that they can be PCI complaint without upgrading to WPA technology and that TJX should take advantage of the leniency to save cash, in spite of the security risks, not all of the staff at TJX agreed with this and a senior level IT staffer forewarned that “The absence of rotating keys in WEP means that we truly are not in compliance with the requirements of PCI. This becomes an issue if this fact becomes known and potentially exacerbates any findings should a breach be revealed.” This went to show the TJX had cut corners.

References:

1) NetForensics Whitepaper, 2009. Think Data Breaches Can’t Happen To You? Think Again. Retrieved from https://developer.cisco.com/fileMedia/download/2f0e334b-d579-4b02-9074-3d9504954c22

2) Pillsbury Law, July 2009. TJ Maxx Settlement Requires Creation of Information Security Program and Funding of State Data Protection and Prosecution Efforts. Retrieved from http://www.pillsburylaw.com/siteFiles/Publications/7F4F43B367B5276B0CFA6D13CFF4044C.pdf

3) Wired, August 2015. Answers to Your Burning Questions on the Ashley Madison Hack. Retrieved from http://www.wired.com/2015/08/ashley-madison-hack-everything-you-need-to-know-your-questions-explained/

4) BGR, Mar 2014. It turns out Target could have easily prevented its massive security breach. Retrieved from http://bgr.com/2014/03/13/target-data-hack-how-it-happened/

5) BGR, Feb 2014. Here’s how the Target hackers pulled off their incredible heist. Retrieved from http://bgr.com/2014/02/06/target-hackers-credentials-theft/

6) KasperskyLab, Dec 2014. 2014: the year of retailers getting hacked over and over again. Retrieved from https://business.kaspersky.com/2014-the-year-of-retailers-getting-hacked-over-and-over-again/3452/