Security Breach at TJX — Analysis

Mounica Vennamaneni
Feb 21, 2016

TJX failure points that require attention

The data breach at TJX had taken place through multiple points of attack, the breach revealed
several security vulnerabilities which are discussed below:

Technology

TJX used Framingham system in US and Puerto Rico, Watford system in UK and Ireland to
process and store debit and credit cards, cheque and unreceipted merchandise-return
transactions of customers.

The data was encrypted before it was stored using the encryption software WEP.
Investigations revealed that the intruders had access to the decryption tool and that data was
primarily stolen through a hacking technique called “skimming”. This involves stealing data
during the payment card approval process, when data is transmitted to payment card issuers
without encryption. Poorly secured in-store computer kiosks were also identified as failure
points that led to the breach. TJX allowed people to apply for jobs electronically using the
kiosks which ultimately acted as a gateway to the company’s IT systems. It was revealed that
intruders used USB drivers located at the back of these terminals to load software and that the
firewall was not strong enough to defend against the malicious traffic coming from the
kiosks. Improperly secured WI-FI network was another failure point through which hackers
decoded data streaming between hand-held devices and store computers and led to hacking of
the central database. WSJ quotes “The $17.4-billion retailer’s wireless network had less
security than many people have on their home networks, and for 18 months the company had
no idea what was going on”.

Work Process

Initial press releases by TJX stated that 45 million payment cards where effected by the
breach but fillings made in federal court of Boston arguing for a class action status showed
that the effected numbers where as high as 94 million card holders. Michael Maloof, chief
technology officer at Trigeo Network Security Inc says that “The large discrepancy between
the numbers supplied by TJX and those from the banks suggest that TJX did not have the log
data needed to do a proper forensic analysis of the incident”. All too often, he said,
companies that don’t have processes in place for collecting and storing log data wind up
losing the telltale tracks left behind by computer intrusions. Further supporting this theory is
the investigation by Verizon Business RISK Team on breaches occurring from 2004 to 2008,
which revealed, “66 percent of victims had sufficient evidence available within their logs to
discover the breach had they been more diligent in analyzing such resources.”
People

Employees at TJX where not vigilant enough to prevent unauthorized access to terminals.
Investigations had revealed that data thieves swapped the store’s PIN-pad terminal with an
identical device that had been electronically altered to capture customers’ account numbers
and PINs and that the thieves returned to the store, few days later to replace the original
terminal, and made off with the altered one containing customers’ account information. All
this went unnoticed by the staff. Further TJX was not practicing PCI standards regarding
storage of information, encryption, access controls and firewalls.

Recommendations to improve IT security at TJX

According to Verizon Business Risk team, “The majority of breaches still occur because
basic controls were not in place or because those that were present were not consistently
implemented across the organization”. They add, “Most of these incidents do not require
difficult or expensive preventive controls; mistakes and oversight hinder security efforts more
than a lack of resources” (NetForensics, 2009). TJX has two distinct areas where they need to
focus on: Short-term priorities and long-term plans to prevent another attack of this scale.

Short-term priorities

Short-term priority of TJX would be to identify all the security loopholes and tighten and
improve the systems security. The following are some of the recommendations to improve
their security in the short-term:

1) Replace existing Wireless Equivalent Privacy based wireless systems with Wi-Fi Protected
Access.

2) Should not save the magnetic stripe contents of customers’ credit and debit cards.
(PillsburyLaw, 2009)

3) Should purge all unnecessary customer’s information saved on its systems. Ashley
Madison did not delete users data even after the users deleted the accounts and hackers were
able to get access to the data. (Wired, 2015)

4) Should change encryption methodology of the data they are using to save personal
identification information of their customers.

5) Should review what information gets collected from customers and not ask unnecessary
information or not rely on driver’s license number or SSNs to uniquely identify the
customers.

6) Should disable USB access to all in-store kiosks. Also should lock down the kiosks so that
customers using the kiosks cannot open any other applications on them.

7) Have firewalls that segment the systems that contain sensitive information from other
systems traffic and also have access controls in place to prevent unauthorized access to any
system. The hack at Target occurred when HVAC system was able to connect to central
Target systems. (BGR, 2014)
8) Should also review their ecommerce site to make sure it is secure and has no flaws like
SQL injection attack. (Wired, 2015)

Long-term plan

TJX needs to realize that spending money on IT security is a business decision rather than a
technology issue. Some of the recommendations to improve their systems security:

1) Have a process where they update all their critical software components and also apply any
of the security patches released by the software vendors.

2) Hire white-hat hackers to detect loopholes in the systems and fix them before actual
hackers detect and exploit them.

3) The current hack at TJX happened due to ineffective logging and also not monitoring the
logs. Having log monitoring and doing log analysis to detect anomalies would greatly
improve their system. There are many vendors providing such solutions and TJX should
invest in it. Software like Fisheye and Splunk Prelert detect malware by analyzing logs at
real-time.

4) Put in place a training program for all the associates to not leave terminals unattended,
connect their personal devices to in-store network or browse web from in-store computers.
Some of the biggest hacks occurred when the employees clicked on links in suspect emails
resulting in letting an intruder into the system. (BGR, 2014)

5) Upgrade the POS systems to use “Chip-and-PIN” technology enabled card readers, which
protect credit and debit cards. Majority of the retailers got hacked due to POS malware and
having Chip and PIN enabled card readers would have protected them. (KasperskyLab, 2014)

TJX role in the security breach

A group of 11 people known as the Gonzalez gang named after the leader Albert Gonzalez
was charged responsible for stealing more than 40 million credit and debit card numbers from
Framingham, Mass.-based TJX and eight other retailers. These included some of the largest
reported hacks of all time, including BJ’s Wholesale Club and DSW. The gang was from
Miami, the same city where officials believe the TJX heist began, when hackers broke into
the insecure wireless connections at two Marshalls locations. Although the hackers were the
main cause for the breach, TJX was equally responsible. Ericka Chickowski, a journalist
covering information technology and IT risk management says “The record-breaking breach
suffered by the TJX Companies didn’t just happen — it was the result of conscious choices
made by the retailer’s IT executives to risk not adopting security best practices, and
regulators’ decisions to treat the retailer with kid gloves”. Even though PCI data security
standards such as establishing a secure network, encrypting data during storage and
transmission and well enforced access control measures were established by credit card
processors in 2004, which is two years before TJX announced its data breach, TJX did not
establish all the requirements for a long time. For instance, it was storing card numbers,
expiration date and card verification value codes, all of which are prohibited by PCI. PCI also
states to not rely on wired equivalent privacy (WEP) to protect confidentiality and access to a
wireless LAN, it suggests the use of Wi-Fi-protected access (WPA or WPA2) technology,
IPsec VPN, or SSL/TLS to encrypt transmissions. Instead of strongly enforcing the rules
credit card processors like Visa gave TJX multiple passes. An email from the CIO of TJX
that went public indicated that TJX was more concerned with saving money and skipping
auditing requirements rather than increasing security. In the mail Butka had suggested that
they can be PCI complaint without upgrading to WPA technology and that TJX should take
advantage of the leniency to save cash, in spite of the security risks, not all of the staff at TJX
agreed with this and a senior level IT staffer forewarned that “The absence of rotating keys in
WEP means that we truly are not in compliance with the requirements of PCI. This becomes
an issue if this fact becomes known and potentially exacerbates any findings should a breach
be revealed.” This went to show the TJX had cut corners.