Lessons From Computer Intrusion at TJX
advertisement
The CASE Journal Volume 5, Issue 2 (Spring 2009) Lessons from Computer Intrusion at TJX Benjamin Ngugi Suffolk University Glenn S Dardick Longwood University Gina Vega Salem, Salem State College ANNOUNCEMENT OF COMPUTER INTRUSION AT TJX The TJX Companies, Inc. today announced that it has suffered an unauthorized intrusion into its computer systems that process and store information related to customer transactions. While TJX has specifically identified some customer information that has been stolen from its systems, the full extent of the theft and affected customers are not yet known, read Dennis Frank from the TJX press statement [1] dated January 17, 2007. It was almost the end of the fall 2007 semester. Dennis, an assistant professor of Information Technology at a Boston university, was preparing a class presentation from his home office on the importance of customer data protection when his mind immediately focused on the computer intrusion at TJX earlier in the year. No other computer intrusion case could have been more relevant; he knew that several of his students were either directly affected or knew someone who had been affected by the TJX computer intrusion. Further, some of the issues that led to the TJX intrusion were now finding their way to the public via the media and the Internet, so the students would have ready access to research materials. He began analyzing all the TJX press statements about the computer intrusion. Dennis was distracted briefly by his wife who was furiously typing a holiday shopping list on her computer. The holiday season had arrived and they were inundated with special offers from the retail companies. First there was the Thanksgiving series of sales, and now the Christmas series had started. He wondered whether to warn her to use cash when doing her shopping, as credit cards were becoming unsafe despite their many benefits and the purchase protection they afforded. He went back to the article that he was reading. This intrusion involves the portion of TJX’s computer network that handles credit card, debit card, checks, and merchandise return transactions for customers of its T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico, and its Winners and HomeSense stores in Canada, and may involve customers of its T.K. Maxx stores in the U.K. and Ireland. The intrusion could also extend to TJX’s Bob’s Stores in the U.S. Page 17 The CASE Journal Volume 5, Issue 2 (Spring 2009) “This has the potential of becoming a real disaster,” thought Dennis. “The stolen cards’ customer information could be used to make counterfeit cards which could lead to an identity theft crisis.” Complicating matters further was the fact that the theft was across the majority of the subsidiary companies, which increased the scale of affected customers. The Company immediately alerted law enforcement authorities of the crime and is working closely with them to help identify those responsible. TJX is also cooperating with credit and debit card issuers and providing them with information on the intrusion, the press release continued. How long had it taken the company to disclose the computer intrusion to the public? Every day wasted could make a difference in a victim’s journey through identity theft. However, the company had to balance the need for disclosure with the conflicting need to keep quiet long enough to give the law enforcement agencies time to catch up with the hackers. With the help of leading computer security experts, TJX has significantly strengthened the security of its computer systems. While no computer security can completely guarantee the safety of data, these experts have confirmed that the containment plan adopted by TJX is appropriate to prevent future intrusions and to protect the safety of credit card, debit card and other customer transactions in its stores. Dennis was happy to see that the company had sought advice from experts on strengthening its defense. The worst thing that could happen would be to have a repeat attack and theft of data. That could take away any remaining investor-confidence in the company. He wondered how the data thieves had penetrated the company’s security network and what layers of defense the company had now erected to deter similar types of attacks in the future. The TJX Companies, Inc The TJX companies, Incorporated was one of the leading retailers of apparel and home fashions in the USA and worldwide with annual sales hitting $17.4 billion in 2006 under the leadership of Bernard Cammarata, Chairman of the Board, and Carrol Meyrowitz, President and Chief Executive Officer [2]. The mission of the company was the delivery of an exciting, fresh and rapidly changing assortment of brand-name merchandise at excellent values to their customers [2]. TJX traced its origin from the first Zayre discount department store [3] opened by cousins Stanley and Sumner Feldberg in 1956 in Hyannis, Massachusetts. Zayre later incorporated in 1962 and went on to acquire several other companies. Zayres, Inc. was later renamed TJX Inc. As of 2008, TJX operated eight businesses, including T.J. Maxx, Marshalls, Home goods, Bob’s Stores and A.J Wright in the USA, Winners and Homesense in Canada, and T.K Maxx in Europe [2]. The group had over 2,400 stores with approximately 125,000 associates and placed 133rd in the Fortune 500 company ranking [2]. Page 18 The CASE Journal Volume 5, Issue 2 (Spring 2009) Update on the Computer Intrusion at TJX Dennis moved on to the second press release from TJX dated February 21, 2007 [4] giving an update on the computer intrusion. While the company previously believed that the intrusion took place only from May, 2006 to January, 2007, TJX now believes its computing system was also intruded upon in July 2005 and on various subsequent dates in 2005. Dennis could not believe what he was reading. Did this mean that the data thieves hacked into the system and continued stealing customer data from July, 2005 all the way to December, 2006 without being detected? How could such a large company not detect an intrusion for eighteen months? What level of IT security personnel were responsible for IT network security? Did they have a specific group within the IT organization that was responsible for IT network security? Did they have a layered network security plan in place? At a minimum, didn’t they employ intrusion detection systems? Didn’t they examine their logs to check for unauthorized file access? Dennis had worked in the IT security industry and knew that it was now standard policy in most organizations to employ top notch network security personnel. Such people would design the right security policies and then institute several layers of security controls to enforce the policies. Such controls would include segmenting the network into manageable units and putting in firewalls and intrusion detection systems (IDS) to protect the data. The IDS would monitor and detect abnormal/fraudulent user behavior and alert the network security officer. It was also now standard procedure to monitor server log files to see who was accessing sensitive data files. He felt it would not be asking too much to expect such a company to be doing the same. In addition to the customer data the Company previously reported as compromised, the Company now believes that information regarding portions of the credit and debit card transactions at its U.S., Puerto Rican and Canadian stores (excluding debit card transactions with cards issued by Canadian banks) from January, 2003 through June, 2004 was compromised. Dennis could understand why so many people were worried. Customers who had ever bought something at any of the TJX group of companies had reason to fear that they would become victims of identity theft, and things were getting worse. The hackers had accessed credit and debit card information and were in a position to use this information to purchase things which would be billed to the customers’ accounts. TJX has found additional drivers' license numbers together with related names and addresses that it believes were compromised. Why was the company keeping driving license numbers? Dennis was even more worried when he remembered that some customers used their social security numbers as their driver’s license numbers, making that group the most vulnerable to identity thieves. Page 19 The CASE Journal Volume 5, Issue 2 (Spring 2009) He wanted a lot of answers and decided to look for an investigative report from a law enforcement agency or some other independent institution. He searched the Internet for “investigation on TJX computer intrusion,” and he got several hits. One was an investigation by the Canadian privacy commissioner[5]. He downloaded the full report from the commissioner’s website and sat down to read it. Report of an Investigation into the Security, Collection and Retention of Personal Information at TJX[5] On January 17, 2007, the Office of the Privacy Commissioner of Canada (OPC) and the Office of the Information and Privacy Commissioner of Alberta (AB OIPC) were notified by TJX and by Visa that TJX had suffered a network computer intrusion affecting the personal information of an estimated 45 million payment cards in Canada, the United States, Puerto Rico, the United Kingdom and Ireland. Dennis sighed with consternation. Forty-five million customers were now at risk because of the TJX computer intrusion. This would go down in history as one of the biggest hacks ever. He could not remember any other computer intrusion with such a large number of affected customers. The stakes were high, and the business case for putting safeguards into such an organization was strong, as the damage would be enormous. He wondered if he was jumping to conclusions and should first try to find out how the intruders had hacked into the TJX system. He came to the paragraph describing the penetration: TJX informed the investigators that “the intruder may have gained entry into the system outside of two stores in Miami, Florida.” Dennis almost missed it. From outside a store? Without going inside? Of course! The intruders must have hacked into the wireless system by positioning themselves strategically outside the two stores where they could get the wireless signal without going through the security guard at the door. This was getting interesting. He wondered whether the company had performed a wireless security risk analysis to identify the vulnerabilities of wireless security systems. What kind of security safeguards did the company have in place to prevent this kind of attack? He continued to the next paragraph. At the time of the breach, TJX had in place various technical measures in its North American stores to protect personal information, including the Wired Equivalent Privacy (WEP) encryption protocol. Dennis immediately identified one problem; WEP had been an obsolete encryption technology for several years. Earlier in the year, he had attended a seminar on wireless security and was well versed in the different wireless encryption technologies. The WEP protocol had been known to be unsafe [6] since 2001; in fact, several programs were widely available on the Internet that could be used to crack it in minutes. They could even be executed on an IPAQ PDA (a small personal device) that could be brought into a store undetected. The Institute of Electrical and Electronics Engineers (IEEE) was the original drafter of the WEP standard. They later rejected WEP due to its insecurities and strongly recommended that users should move to the new WPA (WI-FI protected access) encryption system which had a more sophisticated algorithm and was, therefore, harder to Page 20 The CASE Journal Volume 5, Issue 2 (Spring 2009) break [7]. Dennis wondered why a company of TJX’s size and available resources in terms of money and manpower would still be using such an outdated system. He read on. The “intruders then used deletion technology to cover their tracks thus making it impossible for TJX to determine the contents of the files created and downloaded by the intruder.” Dennis could tell that these were professional hackers, not the usual high school kids out to impress their peers with their computer hacking prowess. These were experts who deleted the server logs to stymie detection of the intrusion and took pains to cover their tracks so that they would not get caught by the law enforcement agencies. TJX could have avoided compromising important data like credit card data files and the server logs by making regular back-ups and keeping them at a different site. The backed up data could then have been used to track the hackers. He went on to review the objectives and findings of the Canadian probe in the TJX computer intrusion. The goal of the investigation was to “examine the collection, retention and safeguarding practices of the organization, in order to determine whether the breach could have been prevented.” The investigators had set the right objectives. The issues of collection, retention and safeguarding should form the core of a company’s information system security blueprint. “Prevention is better than cure,” went the old adage. Keeping the collected information to an absolute minimum would reduce the extent of the damage that could befall an organization like TJX. Likewise, if only the absolute minimum of the collected information were retained, then the amount of information to be protected was minimized. And finally, if the organization had strong safeguards, then it meant that the information retained would be protected and therefore so costly for hackers to access that it would not be worth the effort. The first issue that the investigators were concerned with was “whether TJX had a reasonable purpose for collecting the personal information affected by the breach.” This was very much in line with the view of many IT security experts: only information that met a certain purpose should be collected. Anything more would represent an unnecessary liability. Dennis could understand why a company would want to collect names and addresses for credit card verification. However, he could not understand why they had to store driver license numbers. If they wanted a photo ID, they could ask for the driver’s license and compare it with the credit card, but they did not need to enter this into the computer system. The second issue that the investigators sought confirmation of was whether TJX’s retention of customer data practice was in compliance with Canadian regulations. The investigators found that the “collection of names and addresses was acceptable but that of driver license ID numbers was excessive and contrary” to Canadian privacy laws. They determined that the TJX practice contravened the privacy laws and regulations. Collecting and retaining unnecessary personal data must have exacerbated the situation. The third issue that the commission investigated was whether TJX had made reasonable security arrangements to protect the personal information in its custody. Dennis knew that the responsibility for protecting customer data lay with the company collecting the information. He personally felt that the company should not have been using the WEP encryption protocol after the IEEE declared it insecure. Page 21 The CASE Journal Volume 5, Issue 2 (Spring 2009) At the end of September, 2005, TJX made a decision to improve the protection of its wireless networks by installing the Wi-Fi Protected Access (WPA) encryption protocols in its stores. Dennis sighed; it was good the company had eventually realized the danger of using WEP, but it was too late by then. The press update [4] had stated that the first TJX intrusion was in July, 2005, so by the time they started upgrading to WPA the intruders were already into the system, siphoning customer data out. If they had changed to WPA earlier, they might have prevented the intrusion. Dennis was pleased to see that the “organization undertook forensic and other investigations to audit and analyze the security of the TJX computer system, and to enhance the security of the TJX computer system in a continuing effort by TJX to safeguard against future attempted unauthorized intrusions” and was taking steps to rectify the situation, but he wondered why they had to be hacked to do what they should have done earlier. He was angry that so much had been lost because of something that could have been prevented. The total losses from the intrusion would not be known for some time. By the second quarter earning report [8] in August, 2007, TJX had put aside $196 million before taxes as an estimated provision to cover the liabilities in anticipation of the suits that were bound to follow. This was in addition to the $25 million charge before taxes that they had taken earlier. The quarterly report further suggested that the company might have “to take an extra $35 million in the next financial year.” This totaled about $256 million, and the figure was increasing. In fact, some research firms estimated that “the total loss from the breach could reach $1 billion once settlement and lost sales were tallied.” [3[9] This was a monumental figure by any account. It would be good to compare the total loss with what TJX would have spent to fix the initial WEP problem and safeguard the customer data, thus avoiding the computer intrusion. Dennis could not get any exact figure so he decided to make a rough estimate. He knew that retailers like TJX that processed debit/credit cards from the major four credit card issuers (Visa, MasterCard, American Express and Discover) had to meet certain standards [10] set by the payment card industry (PCI). These consisted of twelve rules which were explicit in the layers of security controls that had to be erected to protect credit card data. The rules called for the proper installation of firewalls, access controls, encryption of data across open networks, regular software updates and monitoring of networks, and maintaining a sound information security policy. This layered defense would provide a formidable obstacle to hacking. (See Appendix A for an illustration of the Defense-in-Depth Strategy). Dennis emailed one of the leading security consultants he knew for an approximate figure on what a company like TJX would have incurred in becoming PCI compliant. “I cannot address TJX in particular but I know of an information-intensive company that has spent more than $20 million in order to be PCI compliant. This was a company that possessed many, many millions of individual personal identifiers, including social security numbers and had to be PCI compliant, level one, because it processes in excess of six million credit card transactions annually. So obviously, it has a significant retail operation,” Page 22 The CASE Journal Volume 5, Issue 2 (Spring 2009) replied the security consultant. After chatting a bit longer, Dennis returned to his course preparation and decided to use the given figure as an upper limit. He did further investigation searching for real companies that had gone through PCI compliance. The Wall Street Journal [11] reported that the “musical-instruments retailer Guitar Center Inc, which operates more than 210 stores nationwide and processes several million paymentcard transactions a year, had purchased nearly $500,000 of new technology in the past year in order to comply with the PCI standards.” Dennis could not do a direct comparison as this company had 210 stores while TJX had 2,400 stores, so he computed the cost per store of about $2,380. Multiplying the cost per store by TJX total stores gave a figure of about $5.7 million. The same article stated that “the biggest merchants, those that process six million or more payment-card transactions a year from any single card brand, spent an average of $568,000 on new technologies to comply with the PCI security standards, according to estimates from Gartner, Inc.” In the case of TJX, there were embedded eight such large merchant businesses. T.J. Maxx, Marshalls, Home goods, Bob’s Stores, and A.J Wright in the USA, Winners and Homesense in Canada, and T.K Max in Europe were all subsidiaries of TJX and each processed six million or more payment-card transactions a year from any single card brand. Another way of getting an approximate figure would be to multiply the average cost by eight which gave $4.8 million. Dennis concluded that TJX would have invested about $5-20 million to become PCI compliant, but the final cost of the effects of the intrusion was going to be more than ten times what it would have cost to fix the system in the beginning. “Here’s a lesson,” Dennis thought, “for all companies about the importance of data security.” Dennis wondered whether other retailers had learned the same lesson that TJX had learned. Most of the retailers all over the United States used similar payment systems and were being guided by the same PCI rules; how well were they implementing these rules? How well were they protecting themselves now that they had seen one of their own lose so much and get so much negative publicity? He decided to find out. He remembered reading that AirDefense, one of the leading companies in wireless security, was doing a comprehensive national survey on the wireless security of retail stores. He searched for the survey results from the company’s website to see what they found out. What he was about to discover would shake his faith in the retail industry. On November 15, 2007, AirDefense published a survey [12] of the wireless data security and physical security practices in place at more than 3,000 stores nationwide and also in parts of Europe. Cities monitored were Atlanta, Boston, Chicago, Los Angeles, New York City, San Francisco, London and Paris. Research was conducted in some of the busiest shopping areas in the country, including: Rodeo Drive in Beverly Hills, Madison Avenue and 5th Avenue in New York City, Michigan Avenue in Chicago, and Union Square and Market Street in San Francisco. The company monitored 5,000 access points that connected wireless devices to wired computer networks. The results were shocking. Twenty-five percent of the networks were found to be unencrypted, meaning that anybody could access them. Another 25 percent were using Wired Equivalency Page 23 The CASE Journal Volume 5, Issue 2 (Spring 2009) Privacy (WEP), the same encryption protocol that had allowed the intrusion at TJX. The rest of the retail stores were using WPA, which was the recommended encryption protocol. Dennis was amazed. He wondered what it would take for the retail stores to take information security seriously. The net determination of the survey was that 50 percent of the retailers’ wireless access points were not safe. This left the shopper at the mercy of hackers. It was as if the retailers had learned nothing from the TJX computer intrusion. He wondered how long it would take before another computer intrusion was perpetrated. For the second time that morning, he wondered whether to advise his wife not to use her credit card at the retail stores. Page 24 The CASE Journal Volume 5, Issue 2 (Spring 2009) REFERENCES 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. TJX Incorporation, The TJX Companies Incorporation Victimized by Computer Systems Intrusion: Provides Information to Help Protect Customers in Business Wire. 2007, TJX, Inc.: Framingham, Massachusetts. TJX Incorporation, 2006 Annual Report. 2007: Framingham, Massachusetts. Funding Universe. TJX Incorporation-Company History. 2002 [cited 2008 February]; Available from: http://www.fundinguniverse.com/company-histories/The-TJXCompanies-Inc-Company-History.html. TJX Incorporation, The TJX Companies Incorporation Updates Information on Computer Systems Intrusion in Business Wire. 2007. Privacy Commissioner -Canada and Information & Privacy Commissioner-Alberta, Report of an Investigation into the Security, Collection and Retention of Personal Information at TJX. 2007. Borisov, N., I. Goldberg, and D. Wagner. Intercepting Mobile Communications: The Insecurity of 802.11. in 7th Annual Conference on Mobile Computing and Networking (MOBICOM). 2001. Rome, Italy: ACM Press. IEEE Computer Society, IEEE Standard 802.11i for Information Technology Telecommunications and Information Exchanges between Systems -Local and Metropolitan Area Networks-Specific Requirements. 2004, IEEE: NewYork, USA. TJX Incorporation, The TJX Companies, Inc. Reports Strong Second Quarter FY08 Operating Results; Estimates Liability from Computer Systems Intrusion(s). 2007: Framingham, Massachusetts. Goodin, D., TJX Breach was Twice as Big as Admitted, Bank Says, in Channel Register. 2007. PCI Security Standard Council, Payment Card Industry (PCI) Data Security Standard. 2006: Wakefield, MA USA. Tam, P.-W. and R. Sidel, Business Technology: Security-Software Industry's Miniboom; As Merchants Upgrade Systems to Meet New Rules, Tech Firms Benefit, in Wall Street Journal. 2007: New York, N.Y. AirDefense. AirDefense's Comprehensive Survey of 3,000 Retail Stores Finds Many Wireless Data Security Vulnerabilities as Holiday Shopping Season Nears. 2007 [cited 2008 March, 25th]; Available from: http://www.airdefense.net/newsandpress/11_15_07.php. Whitman, M. and H. Mattord, Principles of Information Security. 2nd ed. 2005, Boston, Massachusetts, USA: Course Technology. Page 25 The CASE Journal Volume 5, Issue 2 (Spring 2009) Appendix A: Defense-in-depth Strategy Fig 1: Illustration of the Defense-in-Depth Strategy [13] The “defense-in-depth” strategy illustrated in Fig 1 involves setting up of overlapping layers of security controls so that an intruder will have to overcome one level after the other before reaching the protected resource. The weakness of one layer of security control is compensated by the strength of another. The overall goal is to vigorously prevent, detect and mitigate intrusions. Most intruders will give up after facing multiple layers. The type of controls should have a mix of both technology- and people-oriented solutions. Figure 1 shows several examples of technology based solutions that includes a firewall protecting the network and an intrusion detection systems within the network monitoring for unusual behavior. Likewise, the figure includes some people based solutions. Security to a large extent depends on having the right policies and regulations. Equally important is well trained and compensated personnel who will vigorously work to prevent, detect and mitigate security issues. The users should also be well educated and aware of the common threats facing the organization; because they are on the ground, they would be the first to notice unusual behavior or even attacks. Each of these solutions supplements the other in different ways. Page 11
