1. At Hannaford, the credit card data theft was conducted through SQL injection attacks, or a series of steps, which used the vulnerability of databases in order to pass an untrusted SQL command (Peikari, and Chuvakin 377-378). The SQL injection attacks were well-known to the retailers, however Hannaford did not consider this threat and continued using their old SQL database management system. This fact eventually made the company an easy target for the data thieves. Moreover, weak security control of the company’s wireless network allowed the thieves to introduce sniffer programs, which could intercept card numbers with their PINs. Sniffer programs were also installed to steal information from TJX. In this case, security weaknesses were found in one of the Marshall’s stores, where network was not well-protected. Store network then served for introducing the sniffer program into the database of the parent company. Furthermore, TJX did not make the switch to WPA (Wi-Fi Protected Access) and continued using unsecure WEP (Wired Equivalent Privacy) encryption system, which did not protect the database from hacker attacks well enough. The absence of properly installed firewall and security software made it even easier to access TJX’s database.
2. The problems were contributed by numerous factors, other than outdated versions of Microsoft SQL Server software, vulnerable wireless networks, old WEP Encryption system, dysfunctional or inefficient firewalls and security software. The success of the attack can be also attributed to the negligence of the security controllers, who ignored the potential technical deficiencies in security and let the stolen data be transferred unnoticed for more than 7 months. Moreover, TJX did not comply with the regulations on the secure card transactions, transmitted sensible data without encryption and kept cardholder details in their system much longer than it was allowed. TJX also ignored the possibility of the attack thorough a small store system, therefore store networks were not secured as well as the parent company one. Therefore, the problem did not only appeared due to technical issues, but also due to several organizational and human factors.
3. The data theft in TJX and Hannaford had an effect both on consumers and on other organizations. Hannaford data protection breach impacted 71 institution, 243,599 account holders and accounted for a loss of $1.6 million. The large amount of consumers affected led to reissuing 246,479 cards, which had a significant cost for partner institutions. The companies also lost the trust of many customers, especially due to the fact that the announcement of the breach was publicly announced only 6 weeks after its discovery in TJX. The reputation and brand image of the companies were then shattered for a long time (Herold 21-22).
4. The solutions adopted by TJX and Hannaford included the use of additional security measures, such as updated firewalls, continuous detection and monitoring, as well as traffic encryption. TJX also established external security audit, which would assess weaknesses in the system against potential sources of threat. Although these measure are effective today, it is necessary to make sure that changes are made also on the organizational level and in human minds. Unless careful attention is paid to continuous improvement, adherence to security standards and integrity of information storage, the new technological solutions will soon become outdated, therefore a similar situation may happen again.
5. In this particular case the blame should be mostly put on the TJX and Hannaford, which did not comply with the regulations regarding the use, storage and transfer of credit card information. However, the banks may be also held partially liable, since they were aware of the non-encrypted data transfers, but did not try to address the issue.
6. Apart from the already implemented regular audits, it might be effective to conduct internal employee training regarding security threats and regulations. Moreover, security improvement should be made across the whole network, including small shops and offices. The key success factor is continuous monitoring and improvement of security in order to be always well-prepared for the potential future attacks.
7. First, the thieves used a hacker tool to gain access to the unprotected network of one of the stores and to connect to the central system in TJX headquarters. In the next step, malicious software was introduced to achieve multiple objectives: steal files, break data encryption and intercept communication. Sniffer programs were installed into the network to access the transaction process between credit card issuer and TJX during card approval. Moreover, thieves accessed decryption keys to decipher historical card information, which was well- encrypted and protected. Therefore, the thieves gained almost full access to the TJX’s network and operated unnoticed for almost two years (Shaul, and Ingram 22-24).
Works Cited
Herold, Rebecca. The Shortcut Guide to Understanding Data Protection from Four Critical
Perspectives. San Francisco, CA: Realtime Publishers, 2009. 21-22.
Peikari, Cyrus, and Anton Chuvakin. Security warrior. Sebastopol, CA: O'Reilly Media Inc.,
2004. 377-378.
Shaul, Josh, and Aaron Ingram. Practical Oracle security: your unauthorized guide to relationial
database security. Rockland, MA: Syngress Publishing, 2007. 22-24.