Introduction
The internet and computer networks have drastically changed the way businesses operate. In the current business environment, integrated information system based on internet and other forms of networks make up the core of the business. E-commerce is the new kind of business technology that uses electronic transfer of money between a buyer and seller. Such transfers are done on electronic codes on credit and debit cards. This kind of transaction is now practiced in almost every sector of the economy. However, for proper working of such system, secure systems need to be developed so that card information is confidential.
Just like any other security system, cyber security is not 100% secure. There are several kinds of intrusions in which external parties are able to gain unlawful access to the information system of an organization. To prevent such intrusion, system developers are required to adopt several techniques that are known to be secure. Such systems include encryptions, firewalls, physical restriction to sever rooms and password- combinations. Nevertheless, even the most secure system in the world is not free from cyber hackers. One such organization is T.J Maxx.
T.J Maxx and the intrusion
T.J Maxx is a department store chin owned by TJX Companies which was founded in 1956. T.J Maxx boasts of more than 900 stores in the United States alone with operations in other countries such as Poland, Germany, United Kingdom and Ireland . In the United States, T,j Maxx is one of the leading department stores with operation in almost every corner of the nation and is capitalized at about $13 billion .
On January 17, 2007, the company announced that its integrated information system had been breached by unauthorized users and that customer data had been stolen. Malicious intruders had managed to gain access to the computers and accessed credit and debit card information. They had also managed to view transaction record of millions of customers and the integrity of the information was in doubt . The company first discovered the intrusion in mid December 2006, but investigators requested that the incident be kept confidential to give room for proper investigation.
After the investigation, the results were chilling. The company had exposed important financial information of more than 45 million American customers. In additional, other key information such as driver license numbers and social security numbers of about 451,000 customers had been downloaded by the hackers . This was against public concern that ensures credit and debit card information held by companies should be in confidence.
The manner in which the hackers were able to gain access was rather easy. The network used by the company was a weak wireless network commonly referred to the Wired Equivalent Privacy (WEP) protocol. This is a much weaker network protocol and the encryption techniques used under WEP is equally weaker. In this kind of network, a simple algorithm would allow hackers to eavesdrop on communication. However, this technology has long been replaced by a more secure form of wireless network protocol referred to as Wi-Fi, which is commonly used. This makes many to wonder how a billion-dollar company could not use a cheap and secure Wi-Fi network.
Moreover, investigations found that company had not installed any firewalls or software patches as directed by Visa and MasterCard . Lack of firewalls in the information system of the company exposed data to malicious intruders who may not be very sophisticated. With these weaknesses, hackers were able to simply deploy a Wi-Fi antenna and a laptop in a neighborhood in Minnesota. They were able to access incoming transmissions and eavesdrop on the employees logging into the central severs of the company.
Once they were able to access central server at Framingham, Massachusetts, they created their own accounts hence giving them unlimited access to data in the central servers. In this manner the integrity of the data had been compromised. They would access this information from any remote location in the country and could make any changes that they wanted. Additionally, the intruders also used the company sever to pass encrypted messages amongst themselves . This meant the company could not utilize its resources as the intruders used it for themselves.
Intruders of T.J Maxx took full advantage to the situation. Stolen credit card information was used in almost eight states within the United States. Cases of same credit card numbers used also spread to other countries such as Japan, Mexico, China and Italy. On one occasion, the hackers were able to perform an eight million dollar transaction with a leading supermarket chain in the state of Florida . This had curtailed confidentiality of customer information.
References
Ballad, B., Ballad, T., & Banks, E. (2008). Access Control, Authentication, and Public Key Infrastructure. Boston: Jones & Bartlett Publishers.
FitzGerald, J., & Dennis, A. (2008). Business Data Communications and Networking. New York: John Wiley and Sons.
Greenemeier, L. (2009, March 29). T.J. Maxx Parent Company Data Theft Is The Worst Ever. Retrieved Feb 29, 2012, from informationweek.com: http://www.informationweek.com/news/198701100?pgno=1