Lessons From Computer Intrusion at TJX

advertisement
The CASE Journal
Volume 5, Issue 2 (Spring 2009)
Lessons from Computer Intrusion at TJX
Benjamin Ngugi
Suffolk University
Glenn S Dardick
Longwood University
Gina Vega
Salem, Salem State College
ANNOUNCEMENT OF COMPUTER INTRUSION AT TJX
The TJX Companies, Inc. today announced that it has suffered an unauthorized
intrusion into its computer systems that process and store information related to
customer transactions. While TJX has specifically identified some customer
information that has been stolen from its systems, the full extent of the theft and
affected customers are not yet known,
read Dennis Frank from the TJX press statement [1] dated January 17, 2007.
It was almost the end of the fall 2007 semester. Dennis, an assistant professor of Information
Technology at a Boston university, was preparing a class presentation from his home office on
the importance of customer data protection when his mind immediately focused on the computer
intrusion at TJX earlier in the year. No other computer intrusion case could have been more
relevant; he knew that several of his students were either directly affected or knew someone who
had been affected by the TJX computer intrusion. Further, some of the issues that led to the TJX
intrusion were now finding their way to the public via the media and the Internet, so the students
would have ready access to research materials. He began analyzing all the TJX press statements
about the computer intrusion.
Dennis was distracted briefly by his wife who was furiously typing a holiday shopping list on her
computer. The holiday season had arrived and they were inundated with special offers from the
retail companies. First there was the Thanksgiving series of sales, and now the Christmas series
had started. He wondered whether to warn her to use cash when doing her shopping, as credit
cards were becoming unsafe despite their many benefits and the purchase protection they
afforded. He went back to the article that he was reading.
This intrusion involves the portion of TJX’s computer network that handles credit
card, debit card, checks, and merchandise return transactions for customers of its
T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto
Rico, and its Winners and HomeSense stores in Canada, and may involve
customers of its T.K. Maxx stores in the U.K. and Ireland. The intrusion could
also extend to TJX’s Bob’s Stores in the U.S.
Page 17
The CASE Journal
Volume 5, Issue 2 (Spring 2009)
“This has the potential of becoming a real disaster,” thought Dennis. “The stolen cards’ customer
information could be used to make counterfeit cards which could lead to an identity theft crisis.”
Complicating matters further was the fact that the theft was across the majority of the subsidiary
companies, which increased the scale of affected customers.
The Company immediately alerted law enforcement authorities of the crime and
is working closely with them to help identify those responsible. TJX is also
cooperating with credit and debit card issuers and providing them with
information on the intrusion,
the press release continued.
How long had it taken the company to disclose the computer intrusion to the public? Every day
wasted could make a difference in a victim’s journey through identity theft. However, the
company had to balance the need for disclosure with the conflicting need to keep quiet long
enough to give the law enforcement agencies time to catch up with the hackers.
With the help of leading computer security experts, TJX has significantly
strengthened the security of its computer systems. While no computer security can
completely guarantee the safety of data, these experts have confirmed that the
containment plan adopted by TJX is appropriate to prevent future intrusions and
to protect the safety of credit card, debit card and other customer transactions in
its stores.
Dennis was happy to see that the company had sought advice from experts on strengthening its
defense. The worst thing that could happen would be to have a repeat attack and theft of data.
That could take away any remaining investor-confidence in the company. He wondered how the
data thieves had penetrated the company’s security network and what layers of defense the
company had now erected to deter similar types of attacks in the future.
The TJX Companies, Inc
The TJX companies, Incorporated was one of the leading retailers of apparel and home fashions
in the USA and worldwide with annual sales hitting $17.4 billion in 2006 under the leadership of
Bernard Cammarata, Chairman of the Board, and Carrol Meyrowitz, President and Chief
Executive Officer [2].
The mission of the company was the delivery of an exciting, fresh and rapidly changing
assortment of brand-name merchandise at excellent values to their customers [2].
TJX traced its origin from the first Zayre discount department store [3] opened by cousins
Stanley and Sumner Feldberg in 1956 in Hyannis, Massachusetts. Zayre later incorporated in
1962 and went on to acquire several other companies. Zayres, Inc. was later renamed TJX Inc.
As of 2008, TJX operated eight businesses, including T.J. Maxx, Marshalls, Home goods, Bob’s
Stores and A.J Wright in the USA, Winners and Homesense in Canada, and T.K Maxx in
Europe [2]. The group had over 2,400 stores with approximately 125,000 associates and placed
133rd in the Fortune 500 company ranking [2].
Page 18
The CASE Journal
Volume 5, Issue 2 (Spring 2009)
Update on the Computer Intrusion at TJX
Dennis moved on to the second press release from TJX dated February 21, 2007 [4] giving an
update on the computer intrusion.
While the company previously believed that the intrusion took place only from
May, 2006 to January, 2007, TJX now believes its computing system was also
intruded upon in July 2005 and on various subsequent dates in 2005.
Dennis could not believe what he was reading. Did this mean that the data thieves hacked into
the system and continued stealing customer data from July, 2005 all the way to December, 2006
without being detected? How could such a large company not detect an intrusion for eighteen
months? What level of IT security personnel were responsible for IT network security? Did they
have a specific group within the IT organization that was responsible for IT network security?
Did they have a layered network security plan in place? At a minimum, didn’t they employ
intrusion detection systems? Didn’t they examine their logs to check for unauthorized file
access?
Dennis had worked in the IT security industry and knew that it was now standard policy in most
organizations to employ top notch network security personnel. Such people would design the
right security policies and then institute several layers of security controls to enforce the policies.
Such controls would include segmenting the network into manageable units and putting in
firewalls and intrusion detection systems (IDS) to protect the data. The IDS would monitor and
detect abnormal/fraudulent user behavior and alert the network security officer. It was also now
standard procedure to monitor server log files to see who was accessing sensitive data files. He
felt it would not be asking too much to expect such a company to be doing the same.
In addition to the customer data the Company previously reported as
compromised, the Company now believes that information regarding portions of
the credit and debit card transactions at its U.S., Puerto Rican and Canadian stores
(excluding debit card transactions with cards issued by Canadian banks) from
January, 2003 through June, 2004 was compromised.
Dennis could understand why so many people were worried. Customers who had ever bought
something at any of the TJX group of companies had reason to fear that they would become
victims of identity theft, and things were getting worse. The hackers had accessed credit and
debit card information and were in a position to use this information to purchase things which
would be billed to the customers’ accounts.
TJX has found additional drivers' license numbers together with related names
and addresses that it believes were compromised.
Why was the company keeping driving license numbers? Dennis was even more worried when
he remembered that some customers used their social security numbers as their driver’s license
numbers, making that group the most vulnerable to identity thieves.
Page 19
The CASE Journal
Volume 5, Issue 2 (Spring 2009)
He wanted a lot of answers and decided to look for an investigative report from a law
enforcement agency or some other independent institution. He searched the Internet for
“investigation on TJX computer intrusion,” and he got several hits. One was an investigation by
the Canadian privacy commissioner[5]. He downloaded the full report from the commissioner’s
website and sat down to read it.
Report of an Investigation into the Security, Collection and Retention of Personal
Information at TJX[5]
On January 17, 2007, the Office of the Privacy Commissioner of Canada (OPC)
and the Office of the Information and Privacy Commissioner of Alberta (AB
OIPC) were notified by TJX and by Visa that TJX had suffered a network
computer intrusion affecting the personal information of an estimated 45 million
payment cards in Canada, the United States, Puerto Rico, the United Kingdom
and Ireland.
Dennis sighed with consternation. Forty-five million customers were now at risk because of the
TJX computer intrusion. This would go down in history as one of the biggest hacks ever. He
could not remember any other computer intrusion with such a large number of affected
customers. The stakes were high, and the business case for putting safeguards into such an
organization was strong, as the damage would be enormous. He wondered if he was jumping to
conclusions and should first try to find out how the intruders had hacked into the TJX system. He
came to the paragraph describing the penetration:
TJX informed the investigators that “the intruder may have gained entry into the system outside
of two stores in Miami, Florida.” Dennis almost missed it. From outside a store? Without going
inside? Of course! The intruders must have hacked into the wireless system by positioning
themselves strategically outside the two stores where they could get the wireless signal without
going through the security guard at the door. This was getting interesting. He wondered whether
the company had performed a wireless security risk analysis to identify the vulnerabilities of
wireless security systems. What kind of security safeguards did the company have in place to
prevent this kind of attack? He continued to the next paragraph.
At the time of the breach, TJX had in place various technical measures in its
North American stores to protect personal information, including the Wired
Equivalent Privacy (WEP) encryption protocol.
Dennis immediately identified one problem; WEP had been an obsolete encryption
technology for several years. Earlier in the year, he had attended a seminar on wireless
security and was well versed in the different wireless encryption technologies. The WEP
protocol had been known to be unsafe [6] since 2001; in fact, several programs were
widely available on the Internet that could be used to crack it in minutes. They could
even be executed on an IPAQ PDA (a small personal device) that could be brought into a
store undetected. The Institute of Electrical and Electronics Engineers (IEEE) was the
original drafter of the WEP standard. They later rejected WEP due to its insecurities and
strongly recommended that users should move to the new WPA (WI-FI protected access)
encryption system which had a more sophisticated algorithm and was, therefore, harder to
Page 20
The CASE Journal
Volume 5, Issue 2 (Spring 2009)
break [7]. Dennis wondered why a company of TJX’s size and available resources in
terms of money and manpower would still be using such an outdated system.
He read on. The “intruders then used deletion technology to cover their tracks thus making it
impossible for TJX to determine the contents of the files created and downloaded by the
intruder.” Dennis could tell that these were professional hackers, not the usual high school kids
out to impress their peers with their computer hacking prowess. These were experts who deleted
the server logs to stymie detection of the intrusion and took pains to cover their tracks so that
they would not get caught by the law enforcement agencies. TJX could have avoided
compromising important data like credit card data files and the server logs by making regular
back-ups and keeping them at a different site. The backed up data could then have been used to
track the hackers. He went on to review the objectives and findings of the Canadian probe in the
TJX computer intrusion.
The goal of the investigation was to “examine the collection, retention and safeguarding
practices of the organization, in order to determine whether the breach could have been
prevented.” The investigators had set the right objectives. The issues of collection, retention and
safeguarding should form the core of a company’s information system security blueprint.
“Prevention is better than cure,” went the old adage. Keeping the collected information to an
absolute minimum would reduce the extent of the damage that could befall an organization like
TJX. Likewise, if only the absolute minimum of the collected information were retained, then the
amount of information to be protected was minimized. And finally, if the organization had strong
safeguards, then it meant that the information retained would be protected and therefore so costly
for hackers to access that it would not be worth the effort.
The first issue that the investigators were concerned with was “whether TJX had a reasonable
purpose for collecting the personal information affected by the breach.” This was very much in
line with the view of many IT security experts: only information that met a certain purpose
should be collected. Anything more would represent an unnecessary liability. Dennis could
understand why a company would want to collect names and addresses for credit card
verification. However, he could not understand why they had to store driver license numbers. If
they wanted a photo ID, they could ask for the driver’s license and compare it with the credit
card, but they did not need to enter this into the computer system.
The second issue that the investigators sought confirmation of was whether TJX’s retention of
customer data practice was in compliance with Canadian regulations. The investigators found
that the “collection of names and addresses was acceptable but that of driver license ID numbers
was excessive and contrary” to Canadian privacy laws. They determined that the TJX practice
contravened the privacy laws and regulations. Collecting and retaining unnecessary personal data
must have exacerbated the situation.
The third issue that the commission investigated was whether TJX had made reasonable security
arrangements to protect the personal information in its custody. Dennis knew that the
responsibility for protecting customer data lay with the company collecting the information. He
personally felt that the company should not have been using the WEP encryption protocol after
the IEEE declared it insecure.
Page 21
The CASE Journal
Volume 5, Issue 2 (Spring 2009)
At the end of September, 2005, TJX made a decision to improve the protection of
its wireless networks by installing the Wi-Fi Protected Access (WPA) encryption
protocols in its stores.
Dennis sighed; it was good the company had eventually realized the danger of using
WEP, but it was too late by then. The press update [4] had stated that the first TJX intrusion was
in July, 2005, so by the time they started upgrading to WPA the intruders were already into the
system, siphoning customer data out. If they had changed to WPA earlier, they might have
prevented the intrusion. Dennis was pleased to see that the “organization undertook forensic and
other investigations to audit and analyze the security of the TJX computer system, and to
enhance the security of the TJX computer system in a continuing effort by TJX to safeguard
against future attempted unauthorized intrusions” and was taking steps to rectify the situation,
but he wondered why they had to be hacked to do what they should have done earlier. He was
angry that so much had been lost because of something that could have been prevented.
The total losses from the intrusion would not be known for some time. By the second quarter
earning report [8] in August, 2007, TJX had put aside $196 million before taxes as an estimated
provision to cover the liabilities in anticipation of the suits that were bound to follow. This was
in addition to the $25 million charge before taxes that they had taken earlier. The quarterly report
further suggested that the company might have “to take an extra $35 million in the next financial
year.” This totaled about $256 million, and the figure was increasing. In fact, some research
firms estimated that “the total loss from the breach could reach $1 billion once settlement and
lost sales were tallied.” [3[9] This was a monumental figure by any account.
It would be good to compare the total loss with what TJX would have spent to fix the initial
WEP problem and safeguard the customer data, thus avoiding the computer intrusion. Dennis
could not get any exact figure so he decided to make a rough estimate. He knew that retailers like
TJX that processed debit/credit cards from the major four credit card issuers (Visa, MasterCard,
American Express and Discover) had to meet certain standards [10] set by the payment card
industry (PCI). These consisted of twelve rules which were explicit in the layers of security
controls that had to be erected to protect credit card data. The rules called for the proper
installation of firewalls, access controls, encryption of data across open networks, regular
software updates and monitoring of networks, and maintaining a sound information security
policy. This layered defense would provide a formidable obstacle to hacking. (See Appendix A
for an illustration of the Defense-in-Depth Strategy).
Dennis emailed one of the leading security consultants he knew for an approximate figure on
what a company like TJX would have incurred in becoming PCI compliant.
“I cannot address TJX in particular but I know of an information-intensive
company that has spent more than $20 million in order to be PCI compliant. This
was a company that possessed many, many millions of individual personal
identifiers, including social security numbers and had to be PCI compliant, level
one, because it processes in excess of six million credit card transactions annually.
So obviously, it has a significant retail operation,”
Page 22
The CASE Journal
Volume 5, Issue 2 (Spring 2009)
replied the security consultant. After chatting a bit longer, Dennis returned to his course
preparation and decided to use the given figure as an upper limit. He did further
investigation searching for real companies that had gone through PCI compliance. The
Wall Street Journal [11] reported that the “musical-instruments retailer Guitar Center Inc,
which operates more than 210 stores nationwide and processes several million paymentcard transactions a year, had purchased nearly $500,000 of new technology in the past
year in order to comply with the PCI standards.” Dennis could not do a direct
comparison as this company had 210 stores while TJX had 2,400 stores, so he computed
the cost per store of about $2,380. Multiplying the cost per store by TJX total stores gave
a figure of about $5.7 million. The same article stated that “the biggest merchants, those
that process six million or more payment-card transactions a year from any single card
brand, spent an average of $568,000 on new technologies to comply with the PCI security
standards, according to estimates from Gartner, Inc.” In the case of TJX, there were
embedded eight such large merchant businesses. T.J. Maxx, Marshalls, Home goods,
Bob’s Stores, and A.J Wright in the USA, Winners and Homesense in Canada, and T.K
Max in Europe were all subsidiaries of TJX and each processed six million or more
payment-card transactions a year from any single card brand.
Another way of getting an approximate figure would be to multiply the average cost by eight
which gave $4.8 million. Dennis concluded that TJX would have invested about $5-20 million to
become PCI compliant, but the final cost of the effects of the intrusion was going to be more
than ten times what it would have cost to fix the system in the beginning. “Here’s a lesson,”
Dennis thought, “for all companies about the importance of data security.”
Dennis wondered whether other retailers had learned the same lesson that TJX had learned. Most
of the retailers all over the United States used similar payment systems and were being guided by
the same PCI rules; how well were they implementing these rules? How well were they
protecting themselves now that they had seen one of their own lose so much and get so much
negative publicity? He decided to find out. He remembered reading that AirDefense, one of the
leading companies in wireless security, was doing a comprehensive national survey on the
wireless security of retail stores. He searched for the survey results from the company’s website
to see what they found out. What he was about to discover would shake his faith in the retail
industry.
On November 15, 2007, AirDefense published a survey [12] of the wireless data security and
physical security practices in place at more than 3,000 stores nationwide and also in parts of
Europe. Cities monitored were Atlanta, Boston, Chicago, Los Angeles, New York City, San
Francisco, London and Paris. Research was conducted in some of the busiest shopping areas in
the country, including: Rodeo Drive in Beverly Hills, Madison Avenue and 5th Avenue in New
York City, Michigan Avenue in Chicago, and Union Square and Market Street in San Francisco.
The company monitored 5,000 access points that connected wireless devices to wired computer
networks.
The results were shocking. Twenty-five percent of the networks were found to be unencrypted,
meaning that anybody could access them. Another 25 percent were using Wired Equivalency
Page 23
The CASE Journal
Volume 5, Issue 2 (Spring 2009)
Privacy (WEP), the same encryption protocol that had allowed the intrusion at TJX. The rest of
the retail stores were using WPA, which was the recommended encryption protocol. Dennis was
amazed. He wondered what it would take for the retail stores to take information security
seriously. The net determination of the survey was that 50 percent of the retailers’ wireless
access points were not safe. This left the shopper at the mercy of hackers. It was as if the retailers
had learned nothing from the TJX computer intrusion. He wondered how long it would take
before another computer intrusion was perpetrated. For the second time that morning, he
wondered whether to advise his wife not to use her credit card at the retail stores.
Page 24
The CASE Journal
Volume 5, Issue 2 (Spring 2009)
REFERENCES
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
TJX Incorporation, The TJX Companies Incorporation Victimized by Computer Systems
Intrusion: Provides Information to Help Protect Customers in Business Wire. 2007, TJX,
Inc.: Framingham, Massachusetts.
TJX Incorporation, 2006 Annual Report. 2007: Framingham, Massachusetts.
Funding Universe. TJX Incorporation-Company History. 2002 [cited 2008 February];
Available from: http://www.fundinguniverse.com/company-histories/The-TJXCompanies-Inc-Company-History.html.
TJX Incorporation, The TJX Companies Incorporation Updates Information on Computer
Systems Intrusion in Business Wire. 2007.
Privacy Commissioner -Canada and Information & Privacy Commissioner-Alberta,
Report of an Investigation into the Security, Collection and Retention of Personal
Information at TJX. 2007.
Borisov, N., I. Goldberg, and D. Wagner. Intercepting Mobile Communications: The
Insecurity of 802.11. in 7th Annual Conference on Mobile Computing and Networking
(MOBICOM). 2001. Rome, Italy: ACM Press.
IEEE Computer Society, IEEE Standard 802.11i for Information Technology Telecommunications and Information Exchanges between Systems -Local and
Metropolitan Area Networks-Specific Requirements. 2004, IEEE: NewYork, USA.
TJX Incorporation, The TJX Companies, Inc. Reports Strong Second Quarter FY08
Operating Results; Estimates Liability from Computer Systems Intrusion(s). 2007:
Framingham, Massachusetts.
Goodin, D., TJX Breach was Twice as Big as Admitted, Bank Says, in Channel Register.
2007.
PCI Security Standard Council, Payment Card Industry (PCI) Data Security Standard.
2006: Wakefield, MA USA.
Tam, P.-W. and R. Sidel, Business Technology: Security-Software Industry's Miniboom;
As Merchants Upgrade Systems to Meet New Rules, Tech Firms Benefit, in Wall Street
Journal. 2007: New York, N.Y.
AirDefense. AirDefense's Comprehensive Survey of 3,000 Retail Stores Finds Many
Wireless Data Security Vulnerabilities as Holiday Shopping Season Nears. 2007 [cited
2008 March, 25th]; Available from:
http://www.airdefense.net/newsandpress/11_15_07.php.
Whitman, M. and H. Mattord, Principles of Information Security. 2nd ed. 2005, Boston,
Massachusetts, USA: Course Technology.
Page 25
The CASE Journal
Volume 5, Issue 2 (Spring 2009)
Appendix A: Defense-in-depth Strategy
Fig 1: Illustration of the Defense-in-Depth Strategy [13]
The “defense-in-depth” strategy illustrated in Fig 1 involves setting up of overlapping layers of
security controls so that an intruder will have to overcome one level after the other before
reaching the protected resource. The weakness of one layer of security control is compensated by
the strength of another. The overall goal is to vigorously prevent, detect and mitigate intrusions.
Most intruders will give up after facing multiple layers. The type of controls should have a mix
of both technology- and people-oriented solutions. Figure 1 shows several examples of
technology based solutions that includes a firewall protecting the network and an intrusion
detection systems within the network monitoring for unusual behavior. Likewise, the figure
includes some people based solutions. Security to a large extent depends on having the right
policies and regulations. Equally important is well trained and compensated personnel who will
vigorously work to prevent, detect and mitigate security issues. The users should also be well
educated and aware of the common threats facing the organization; because they are on the
ground, they would be the first to notice unusual behavior or even attacks. Each of these
solutions supplements the other in different ways.
Page 11
Download