TJX Companies, based in Framingham, MA, was a major participant in the discount fashion and retail industry. The TJX brand had presence in the United States as well as in Canada and Europe. In mid-2005, investigators were made aware of serious security breaches experienced in TJX’s credit card system. These breaches were first found at a Marshall’s located in St Paul, MN in which the hackers implemented a “war driving” tactic to steal customer credit card information. This incident resulted in over 46 million debt and credit card numbers being compromised and is considered to be the largest security breach in US history. The security breach at TJX resulted in major members of the credit card association to establish the Payment Credit Industry Data Security Standard (PCI DSS) in order to better regulate security needs for merchants’ company credit card systems. Further investigation revealed that these breaches at TJX could be traced back to 2003. Some key factors driving this situation included the following: TJX’s lack of cybersecurity sophistication (i.e. use of WEP, severs always in administrator mode, etc.) Overall lack of awareness by the consumer in terms of steps taken to mitigate breach risks Unpredictable and inconsistent standards set by PCI DSS
The Term Paper on Credit Car Debt Card Money
I turn the key and unlock the deadbolt. It's been a long day's work. I have been working three jobs for weeks now. I come through the door of my tiny one-bedroom house and stare at the desk, piled high with debris: old junk mail, magazines, and a few bills. I keep thinking maybe on my day off I'll clean this mess up, balance my check book and pay my bills. "But what's the use?" I think to myself, ...
CASE FACTS AND ANALYSIS
The key challenges TJX faced was implementing cybersecurity into their overall business model and emphasizing its importance on a corporate level. This required management and IT to align their security strategies (under the rules and regulations of PCI DSS) and take a “business back” approach, putting the focus on important business asset. More specifically, various issues involving both TJX and the other players in the credit card payment network include: TECHNOLOGICAL UPGRADES/SOPHISTICATION: TJX found themselves using the Wired Equivalent Privacy (WEP) security protocol for protection, whereas newer and more advanced technology was available. Starting in 2001, Wi-Fi Protected Access (WPA) was created in order to better combat hackers. Also, in 2007 it was revealed that TJX stored both credit card numbers and expiration date information together in its system. ISSUES
Non-Compliance: WPA was required by PCI DSS, storing credit card numbers and expiration date information violated standards as well Reporting: Never acknowledged any of this in financial statements/reports RESPONSE
CIO decided to run risk of being compromised by sticking with outdated technology (WEP) LIABILITY/RESPONSIBILITY: One of the key issues is who should be held liable for the breaches? With so many parties involved in the credit card payment process, it’s difficult to define a certain group solely responsible. ISSUE
Lack of Legal Standards: no existing laws stating who should bear burden RESPONSE
Issues were to be handled legislatively, but process is long and drawn out Technology evolving faster than legislation
INCENTIVES/CONSUMER BEHAVIOR: Consumers were seemingly unaware of data breaching technology being implemented. ISSUE
Lack of awareness: difficult for stores to charge higher prices in order to provide better security (customers showed no change in preferences) SOLUTION
Played a role in TJX opting not to abide by certain PCI DSS standards as sales continued to grow despite these breaches. Looking at recommendations I would make, it’s important that management first recognize the function of cybersecurity in their overall business structure. They must maintain ongoing interactions with their IT specialists in order to make sure strategies implemented are continually evolving (weighing business opportunities versus business risks).
The Research paper on Global Business and Political Forces Case Study
Walgreens Corporation “C-Level Executives” will have to consider the Global Business and Political Forces associated with their Global International Expansion plans into the Country of Brazil during the period of (2014-2016). Analysis The key issues Walgreens Corporation “C-Level Executives” pose to face would be attempting a massive global expansion and creating new value innovation within that ...
In the article released by McKinsey titled Meeting the Cybersecurity Challenge, there is a focus on using a “business back” approach. In this context, an entity must target the most important business processes rather than focusing on any current technological vulnerabilities. More specifically I would recommend that TJX separate their company credit card information. As the article puts it, “Separating credit card numbers and expiration dates vastly complicates the task.” (p. 5) My personal takeaway from this case is the emphasis of this being a management issue, not just an IT issue. “Companies need to make this a broad management initiative with a mandate from senior leaders in order to protect critical information assets without placing constraints on business innovation and growth.” (p. 28) CASE SPECIFIC QUESTIONS
1. There is generally a lack of clarity as to who should bear the burden when it comes to data-breach liability contracts between merchants and banks. Many of these cases end up adjudicated or settled. Also, in 2009, the average total cost for a data breach incident was $6.75 million for merchants. TJX reported, in their expenses and reserves account, probable losses of $171.5 million (estimates were as much as $9 billion).
In terms of card issuers (financial institutions), they assumed the risk for fraud or any issues with nonpayment. In the case we learn that these issuers usually “wind up footing the bill” (p. 27).
They were looking to shift this responsibility to those who are actually involved in the fraud. 2. The root causes of this breach involve overall lax cybersecurity, no laws intact to sell to set standard, and a general lack of incentives to keep up with technology.
The case refers to an incident in which an employee chose to blog about TJX’s ineffective cybersecurity strategies. In this blog, it describes various dysfunctions that allowed hackers to gain access to important information with ease. In order to prevent such incidences from happening again, TJX could conduct simulated cyber-attacks. 3. It’s imperative that management and IT are aligned in their overall protection strategies, striving to function as one team rather than individual groups and departments. They need to make sure implementations/architectures are designed sufficiently in order to prevent data breaches. At the same time, these strategies must not be too inflexible that business suffers because of it. 4. PCI must continue to evolve its compliance policies. As noted in the article, there was a survey conducted by the Ponemon Institute. Of the 517 security experts involved, 60% agreed that their organization did not have the resources available to reach and maintain compliance with PCI DSS. The government needs to focus on liability issues with these breaches, as risk of larger incidences increases.
The Research paper on Discuss the issue Ethical Business and How it relates to csr
Discuss the issue Ethical Business and how it relates to Corporate Social Responsibility (CSR). With reference to sources, provide examples of companies or organisations which demonstrate ethical behaviour and evaluate their motivation. The ideas of Business Ethics and Corporate Social Responsibility are oftentimes discussed in a similar manner even though they both have distinctly different ...
References
Walker, Russell. “Maxxed Out: TJX Companies and the Largest-Ever Consumer Data Breach.” Kellogg Case Publishing, 2013.
Kaplan, James, Sharma, Shantnu, and Weinberg, Allen. “Meeting the cybersecurity challenge.” McKinsey Quarterly, 2011.
