Magazine article The CPA Journal

Analyzing the TJ Maxx Data Security Fiasco: Lessons for Auditors

Magazine article The CPA Journal

Analyzing the TJ Maxx Data Security Fiasco: Lessons for Auditors

Article excerpt

In January 2007, TJX Companies, Inc. (TJX), the parent company of retail chains such as T.J. Maxx and Marshalls, issued a press release announcing that its computer systems had been breached and that customer information had been stolen. As the investigation into the crime continued during 2007, estimates of the number of customers affected sky-rocketed. Other reports indicated that at least 94 million Visa and MasterCard accounts had been compromised, with losses projected to approach $4.5 billion. As expected, Visa and MasterCard are seeking to recoup these losses from TJX. The sheer scale of the security breach should cause auditors to wonder about the implications for their professional practice.

What Went Wrong at TJX?

Investigations into the TJX case appear to indicate that the company was not in compliance with the Payment Card Industry (PCI) data security standards established in 2004 by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International. Reports identified three major areas of vulnerability: inadequate wireless network security, improper storage of customer data, and failure to encrypt customer account data.

Inadequate wireless network security. The store where the initial breach occurred was using a wireless network that was inadequately secured. Specifically, the network was using a security protocol known as wired equivalent privacy (WEP). One problem with WEP security is that it is easy to crack. In fact, researchers at Darmstadt Technical University in Germany have demonstrated that a WEP key can be broken in less than a minute. More important, WEP does not satisfy industry standards that require the use of the much stronger WPA (Wi-Fi Protected Access) protocol. After breaking into the store's network, the hackers then breached security at the corporate headquarters and obtained the customer account information stored there. According to a May 4, 2007, Wall Street Journal article, the intruders had access to the TJX records for 18 months without being detected.

Improper storage of customer data. The TJX data storage practices also appear to have violated industry standards. Reports indicate that the company was storing the full-track contents scanned from each customer's card. Moreover, customer records appear to have included the card- validation code (CVC) number and the per- sonal identification numbers (PlN) associ- ated with the customer cards. PCI Data Security Standard 3.2 clearly states that after payment authorization is received, a merchant is not to store sensitive data, such as the CVC, PIN, or full-track information. Exhibit I shows a comparison of key data items believed to have been stored by TJX, along with the relevant PCI standards.

Most likely, TJX did not retain this information with malicious intent. The company may have been using older pointof-sale (POS) software that had been designed to capture all card data and that could not be reconfigured to comply with PCI standards. This problem has been linked to credit-card security breaches at other retailers. Another possibility is that the POS software was adequate, but improperly configured.

Failure to encrypt customer data. Even if the hackers had been able to infiltrate the TJX corporate network and access the improperly stored customer records, it is likely that no harm would have resulted, had the customer data been securely encrypted. Given the large number of fraudulent transactions traced back to the TJX breach, it is obvious that either the data had not been encrypted, or the hackers stole the encryption key. In either case, industry standards were not maintained by TJX. PCI Data Security Standard 3.4 requires that at minimum, the customer's "primary account number" (i.e., the customer's card number) be "rendered unreadable." Furthermore, PCI Data Security Standards 3.5 and 3.6 require merchants to protect the encryption keys used for protecting customer data from disclosure and misuse. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.