Security Breach at Tjx

...

Alternatives and Recommendations

- TJX can do nothing about the security breach. Since the customer data were vulnerable to identity fraud, there were no ways to recover the data anyway. However, if TJX does not react, the attacks will come back in the future and they cannot gain the confidence and creditability in customers; they may end up going out of business.

- Another solution is outsourcing the information systems. TJX can outsource the data encryption, secured network, management of customer information to other company. By outsourcing, TJX can improve their information systems for proofing customer information in secure servers, advanced technology on encryption and secured wireless network. However, outsourcing may have many limitations, such as loss of direct managerial control and lack of flexibility.

- TJX should deal with the security breach by establishing detailed security plans and procedures to both minimize the risks and deal with problems. Adopting Steve Andriole’s “8 Keys to a Sane Security Strategy” to protect the information resources. These 8 elements can help TJX to safeguard systems and data.

Based on the analysis of current situation, the recommendation is for TJX to adopt alternative #3. The recommendation is to establish security plans and procedures by implementing Andriole’s approach. TJX should create a clear written policy the covers access to data, applications and networks, software, privacy, recovery, and system development; also establish procedures for user authentication and authorization. All these can assist TJX to focus on plugging the loopholes in the company’s IT security.

Implementation Plan

Some of the actions may include:

Short-term (1 – 6 months):

- Focus on affected customers, try to build back the reputation and confidence.

- Implement WPA encryption technology to protect customers’ information and data.

- Monitor and test WLAN security for wireless network to protect the network resources and data.

- Install and maintain a firewall configuration to protect data.

- Establish procedures for user authentication and authorization in order to restrict access to data by business need-to-know and physical access to data.

- Educate all levels of the business on how to detect security infiltrations.

- Cease the collection of customer driver’s license and other provincial identification numbers during merchandise returns, and purge such information from all its databases.

Long-term (6 – 12 months):

- Develop and maintain an information security policy.

- Implement risk assessment to identify possible threats, and evaluate both the likelihood and probability of each occurring and its consequence or impact.

- Make sure the company follows the PCI DSS standards.

- Make sure the management of TJX recognize the IT security is a business issue and not a technology issue. IT security breach could impact the entire business.

TJX must recognize the wide variety of threats to information systems security. A well-designed security policy should be drafted to protect various risks that have been identified; taking into account people factors, such as ethical behaviour, and technological factors.

In short-term, TJX priority was to understand the failure points and tighten and improve IT security. In the long term, they have to work on minimizing risks, so that the attack will not happen again. Also, the management of TJX have to recognize the IT security was a business issue and not a technology issue; and gains back the confidence and creditability from the customers.