White Paper on Corporate IT Data Security
at Publix Retail Outlets
Authors
Shweta Kapadnis (16122942)
Charles Ofei ()
Sebastian ()
CONTENT
Table of Contents
Authors.......................................................................................................................................................... 1
CONTENT ................................................................................................................................................... 2
EXECUTIVE SUMMARY ........................................................................................................................ 3
INTRODUCTION....................................................................................................................................... 4
WHERE PUBLIX IS WITH DATA SECURITY .................................................................................... 5
THE EXISTING DATA SYSTEMS, SUCCESSES, OPPRTUNITIES AND RISKS AT PUBLIX .... 6
THE MAIN AREAS OF RISK CURRENTLY INCLUDE..................................................................... 7
STEPS TO REDUCE VULNERABILITY TO DATA SECURITY BREACH .................................... 8
STEPS PUBLIX CAN TAKE .................................................................................................................. 10
CONCLUSION ......................................................................................................................................... 11
REFERENCES .......................................................................................................................................... 12
EXECUTIVE SUMMARY
In 2007, TJ Maxx fell victim to a data breach involving the theft of financial information of 94
million customers. The unprecedented scale of this breach brought the importance and
vulnerability of Enterprise Information Systems to the public eye. And so began a trend of
mainstream digital espionage which has so far affected major companies and organizations like
Sony, Heartland, Target, Adobe, EBay, JP Morgan and even the government agencies.
Properly managing and securing customer data has become paramount now more than ever.
Companies are scrambling to patch digital loopholes and stay ahead of the information technology
(IT) arms race. With the internet offering massive amounts of knowledge and tools in increasingly
open-source formats, almost anyone anywhere in the world is able to circumvent many old IT
security standards.
A company like Publix is a prime potential candidate for a data breach or unauthorized access to
its data network. With the current systems already in place, it is only a matter of time before
malicious data thieves are able to gain access to confidential customer information. This white
paper aims to explore the vulnerabilities in Publix’s information systems infrastructure, while
providing insights into the trends and severity of these issues.
Recommendations regarding the company’s digital security are outlined and explained in detail.
These include operational policy changes such as better employee training, overhauled access
controls, and better contingency plans in the event or risk of breaches. Other recommendations
include infrastructural upgrades such as newer point-of-sale systems, higher network bandwidths,
and other ways to improve system maintenance practices.
A strong and well-implemented information network is critical in not only keeping business and
customer data safe, but also an important requirement of modern business according to strict
federal operational laws.
INTRODUCTION
In January 2007, TJX Companies, Inc., the parent company of T.J. Maxx and Marshalls,
announced that it fell subject to one of the biggest consumer data security breaches of all time.
After investigation, the company announced that over 94 million Visa and MasterCard accounts
were compromised. The scale of the financial effects were so big that the breach is now classified
as the third largest security breach of all time. The direct cost of the aftermath reached upwards of
$256 billion which far exceed the original estimates by ten times. So what went wrong? First,
adequate wireless network security was absent. More specifically, the company used the wireless
security protocol called wired equivalent privacy (WEP). The issue with WEP is that the protocol
can be so vulnerable to hacking that it does not comply with corporate industry standards.
Consequently, company records were accessed by hackers without any detection during an 18month period. Secondly, the data was stored improperly. The company used a point-of-sale (POS)
legacy system which did not comply with industry standards as well. The POS system used
recorded the card-validation code (CVC) and the personal identification number (PIN) every time
a customer made an in-store or online payment. This improper method of storing information
resulted in much ease for hackers to collect all the information in one place (Berg, Freeman, &
Schneider, Aug. 2008).
WHERE PUBLIX IS WITH DATA SECURITY
How is this relevant? Well, Publix does not operate much differently from TJ Maxx, therefore,
an awareness of the situations that transpired at TJ Maxx and similar companies is beneficial to
Publix.
Publix Super Markets Inc., is an employee owned supermarket chain based in Lakeland, Florida
operating about 1084 stores across six states in the southeastern region of the country. Florida
has the most stores with 756 and all other each having less than 100 stores each. Publix is
recognized as a top Fortune 100 best company to work for in the U.S, and is the largest private
company in Florida. Revenue in 2013 reached over $27.7 billion, with a net income of about
$1.5 billion in the same year. The company employs over 167,000 workers nationwide (“Facts
and Figures,” 2014).
As of this publication, Publix has not had any history or encounters with direct attacks to its I.T.
infrastructure. The company has made great strides in acquiring state of the art data security
measures, while partnering with some of the industry’s best data security analysts and experts.
However, these measures do not completely make Publix invulnerable to data breaches.
Information technology is an ever-evolving sector where existing standards are constantly
rendered obsolete and newer ones created every day. In 2012, security firm McAfee Security
Solutions identified eight million new unique malicious software code distributed worldwide.
Consequently, data security software has had to adapt drastically to address each of these threats,
while also containing previous existing ones. (“Security Considerations,” 2012).
Change has simply been accepted as a constant in the world of I.T. Furthermore, as the industry
continues to grow, and more standards and technologies become open-sourced, more people will
have easy access and knowledge about digital data technology more than ever before.
This poses new challenges in the quest to secure data systems for a company like Publix -- the
most obvious being: how to stay ahead of I.T. trends in an environment where change happens
often and happens quickly?
THE EXISTING DATA SYSTEMS, SUCCESSES,
OPPRTUNITIES AND RISKS AT PUBLIX
Publix currently has an IT infrastructure which is considered relatively average by industry
standards. The digital network at Publix retail outlets can be broadly categorized into Point-ofSale systems, customer data storage, access control, and the underlying private network that binds
all these systems together. This is a self-sufficient information loop which also shares data with
external networks like the Publix distribution supply network, the internet, as well as the
authorization systems used at various third-party merchant and finance institutions.
Publix has been very successful keeping in line with state-of-the-art security trends by partnering
with top security companies and investing significantly to keep compliance with industry bestpractices.
There are, however, areas where Publix can improve and fortify its systems. The company’s retail
system is currently concentrated across the American Southeast and accessed by the public
constantly. Protection against cyber-attacks, although ever challenging, can be successfully
managed if planned well. Fortunately, Publix is still a growing company and currently not as
geographically dispersed as some of its competitors. This makes the task of data security, slightly
more manageable
THE MAIN AREAS OF RISK CURRENTLY INCLUDE
Security Patches: Although Publix has the requisite data hardware and software, keeping these
systems up-to-date can prove challenging, especially where there are thousands of devices
involved across all 1084 Publix store locations. In-store systems go un-updated or unpatched for
long periods of time, unlike other Publix enterprise systems. This is because Publix store networks
currently have limited connectivity, bandwidth and service models to receive these security
updates automatically.
Maintenance Hurdles: In order for any information system to run efficiently and securely, it
requires regular maintenance by technical system experts who are capable of detecting,
diagnosing, and repairing any potential problems. In several of Publix’s remote store locations,
maintenance tends to be a real challenge. Typically, issues that require anything more than a simple
reboot takes several days to fix as technicians need to travel long distances to these locations to
address maintenance issues.
Also, at some of these remote store locations, Publix still uses older legacy Point-of-Sale systems
older than 7 years, which poses serious risk to the data network. Some vendors of these systems
have discontinued support and no longer send important system updates to fix new security threats.
Network loopholes: In the Information Technology industry, wireless networks remain a security
weak link. There has been good progress made in making wireless networks more secure, but
there’s still much that can be done. Intruders with enough sophisticated knowledge are able to
break into even the most secure governmental and banking networks. Wireless networks are a
security liability which require constant monitoring and management. Publix Stores’ current
wireless infrastructure, the WPA (Wi-Fi Protected Access) protocol, which although currently
acceptable by mainstream consumer standards, will need further upgrading for added security. The
more secure WPA-Enterprise standard is specifically designed for enterprise networks and requires
the use of complex integrated authentication servers. This upgrade protects against “brute-force”
password hacking and other common malicious attacks.
Physical compromise: Another identified risk to Publix’s data network is the level of physical
access employees have to the Publix computer hardware and devices. Anyone with physical access
to a retail system is able to attach USB drives and other peripherals capable of introducing
malicious software into the system. Once these systems get infiltrated by unauthorized software,
any data contained within can be downloaded and stolen by unauthorized parties or “hackers”.
STEPS TO REDUCE VULNERABILITY TO DATA SECURITY
BREACH
Train employees on how to deal with sensitive data:
Just like a motor vehicle needs periodic oil changes and tire rotations, the IT personnel or external
IT experts must periodically assess risks regarding data security breaches. The importance of
periodic assessment arises because a minor change in the network infrastructure could possibly
expose the system to vulnerabilities. As mentioned before, innovative methods of attacks are
invented daily, so what was considered secure yesterday may not be secure today. The most
efficient and effective way to accomplish an assessment is through prioritization. Prioritization
ensures that best use of the limited and valuable resources are allocated to areas assessed as vital.
IT experts should have vast knowledge regarding the relative significance of the diverse sets of
applications, systems, data, storage and other communication mechanisms. A system or network
architecture, such as a network diagram illustrating the manner by which assets are configured and
interrelated should be of immense help when identifying critical areas for resource allocation (see
diagram below) (Schmittling, 2010)
Another reason why periodic assessments are of uttermost importance is that they can help a
business such as Publix comply with government regulations that dictate various security
measures. Regulations found under FISMA and the Sarbanes-Oxley all dictate various
compliance measures that if not met, penalties and various other direct and indirect costs may
result.
Provide proper employee training:
To ensure employees protect your valued business data, Publix can establish a cyber-safety
training program. Most importantly, the company must provide employees with ways for creating
strong and distinct passwords. Employees have the tendency to create passwords that are easy to
remember but they made must be made aware that actions like these open the doors to cyber
attackers to gain easy access to private information. Moreover, to ensure proper restrictions exist
for accessing various devices, users should be assigned role-based access and be granted access
only to the applications or information they need. Segmenting user and administrator privileges by
roles enhances security by minimizing the extent of harm that they can cause — either intentionally
or by accident. Furthermore, employees must be educated on certain scams such as phishing which
is a type of scam under which cyber-criminals pose as personnel of the company to gain access to
sensitive information. Another way to minimize security breaches is to advise every personnel to
encrypt every information exchanged. Encrypting information allows only the intended recipient
to open a document with a given code.
Secure data physically and virtually
Physical location of data is another important aspect of protecting against unintended intruders.
The first step must first deal with distinguishing between data that is considered sensitive versus
data that needs no special security. Once that’s accomplished, all of the restricted data must be
physically separated and placed in a secure facility. Oracle can provide systems that can only be
accessed by authorized personnel. Upon the event that the system is tempered with, immediate
notification will be sent to the information technology department. A system that prompts and
validates a combination of a user identification and fingerprint (or facial) identification is
recommended.
As recently stated, the determination of what information is important must be made. All
information and data that is not considered necessary must be disposed of. Our advice to all
businesses if that the less information you have around, the less vulnerable you are to theft of data.
Businesses should only collect those pieces of data that are really needed. Don't put your customers
and business at risk by storing credit card numbers that are not needed. And never prompt
customers use their Social Security number as an identifier.
Virtual protection can be accomplished by helping you implement a highly secured virtual private
network (VPN). VPNs are highly suggested when exchanging information among different offices
or stores located in different areas of the country. As the name suggests, a VPN allows access to a
private network only to devices that are granted access through prompted credentials. VPNs can
highly secure your computer's internet connection to guarantee that all of the data you're sending
and receiving is encrypted and secured from unwanted users.
STEPS PUBLIX CAN TAKE
CONCLUSION
As it can be seen on the graph above, hacking and malware threats have grown and continue to
grow at an immense speed. On average, a data security breach costs companies about $200 per
customer security breach. This figure mostly constitutes legal defense and settling costs (“2011
Cost of Data,” 2011). For a retailer such as Publix, claims from a data breach can come from
diverse parties such as customers, lenders, and suppliers. Aside from the direct costs, companies
can adversely suffer other indirect financial and nonfinancial effects. One of the biggest and
destructive side effects is the manner by which public relations can negatively be affected. Once
consumers, investors, lenders, and other interested parties become aware of a certain data breach,
they may subsequently limit their business with the particular company affected. For these
reasons, companies like Publix must ensure that they comply with current regulatory standards
and go beyond to protect themselves from any cyber threat.
Added security most certainly involves additional costs as recently discussed but rational
managers should be able to comprehend that the benefit received from added security almost
always outweigh the initial associated costs in the long term. For this reason, it is highly
advisable that a business such as Publix needs to invest in the implementation of various security
functions. First, there need to periodic assessments of security risks. To accurately assess risk, IT
personnel must identify the sectors of IT that are most valuable to the organization and direct the
needed resources to such segments. Without the elevation regarding the relevance of the various
types of data in the organization, it could nearly be impossible to prioritize and allocate
technology resources where they are urgently needed the most. Second, there needs to be
physical and virtual protection from all unwanted intruders. Data storage repositories, such as
database management systems must be properly secured and the organization must ensure that
all malware protection software need to be up-to-date and secure. Finally, employees must
receive in-depth training regarding the proper handling of physical assets, such as hardware
devices used in the data center and communication components or peripherals (e.g., PDAs,
laptops, and desktops). In summary, businesses should scrutinize and be highly aware of what
information they possess and implement enough security to protect themselves and avoid
becoming victims of security data breach.
REFERENCES

2011 Cost of Data Breach Study: United States. (2014, Nov. 17). Ponemon Institute.
Retrieved from
http://www.ponemon.org/local/upload/file/2011_US_CODB_FINAL_5.pdf

Berg, G., Freeman, S., & Schneider K. (2014, Nov. 17). Analyzing the TJ Maxx Data
Security Fiasco.
The CPA Journal. Retrieved from
http://www.nysscpa.org/cpajournal/2008/808/essentials/p34.htm

Facts and Figures. (2014, Nov. 17). Publix.com.
Retrieved from
http://corporate.publix. com/about-publix/company-overview/facts-figures

Schmittling, R. & Munns, A. (2014, Nov.17). Performing a Security Risk Assessment.
ISACA.
Retrieved from
http://www.isaca.org/Journal/Past-Issues/2010/Volume-1/Pages/ Performing-a-SecurityRisk-Assessment1.aspx

Security Considerations for Retail System OEMS. (2014, Nov. 17). McAfee.com.
Retrieved from
http://www.mcafee.com/us/resources/solution-briefs/sb-intel-retail-system-oems.pdf

IMAGE References:
Schmittling, R. & Munns, A (Illustrators) . (2010). Figure 1-Risk Map [Illustrative Chart].
Retrieved Nov. 17, 2008, from:
http://www.isaca.org/Journal/Past-Issues/2010/Volume-1/Pages/Performing-a-SecurityRisk-Assessment1.aspx

Security Solutions for the Retail Industry [Illustration]. (2012). Retrieved Nov. 17, 2014,
from:
http://www.mcafee.com/us/resources/solution-briefs/sb-intel-retail-system-oems.pdf

The Digital Threat [Illustration]. (Sep. 30, 2014). Retrieved Nov. 17, 2014, from :
http://theheartofbigbrother.wordpress.com/2014/09/30/part-3-the-digital-threat-cyberwarfare/