K-603 Case Report 8

Issues Collects too much information (i.e. drivers license #, Military & State ID #, Social Insurance #). This information is obtained from customers who return merchandise without receipts & cheque transactions. Keeps information for too long Files go back as far as 2002. During this period (20022006), Framingham system was not masking payment card PINS or cheque transaction info, so customers files were vulnerable prior to 2006. Relies on weak encryption technologyUses encryption algorithm provided by vendor. During payment card issuers approval process, data is transmitted to payment card issuers without encryption. It is during this time, when data is decrypted, that smart crooks can get the data. Furthermore, intruders have access to decryption tools for the encryption software. Intrusion at multiple points of attack o 1) Wireless: used price check guns and their interactions with database controller to capture IP address. Used this data to crack encryption code. Stole usernames/passwords to set up own accounts to collect data. o 2) USB drivesused kiosks as entry points, loading software onto terminals that let the intruder use them as remote terminals that could connect to TJX network. o 3) Processing Logs TJX didnt have log data needed to do forensic analysis. This could provide information about files on system, who used them, and when, making it easier to trace unauthorized access and increase security. o 4) Compliance & Audit Practices TJX had not met 9/12 requirements for PCI DSS. TJX had passed PCI DSS audit checkup but missed 4 key problems: 1) Absence of network monitoring 2) Absence of Logs 3) Unencrypted data 4) Retaining customer data for too long

Recommendations/Improvements Switch the wireless security from WEP (wired equivalency privacy) to WPA (Wi-Fi protected access). WEP is less secure and easier to crack than WPA. Ensure the entire companys wireless accessories and software are secured through WPA. Furthermore, configure the router to restrict access to specific computers using MAC (media access control). MAC addresses only allow access for known devices (MAC address is unique

and identifies devices) with the correct passphrase. Also, ensure that the log-in password for the router is strong and difficult to guess/crack. Eliminate storage of sensitive authentication data do not store vital credit card data on local machines; Use third part services instead. Do not store data collected from a cards magnetic stripe. TJX violated industry standards by storing contents from customers cards such as CVC and PIN #. A merchant should n ot store sensitive data. Improve data-retention policies Do not retain customer data any longer than permitted by card issuers. Do not retain data any longer than necessary to document underlying transactions. Collect only information necessary for the transaction. If you have to keep data (i.e. license #), then make sure theres a way to mask it or encrypt it (i.e. converting license # to unique identifying #) Implement physical & electronic controls For example, credit card scanners should be bolted to the counter. Otherwise a thief could replace a retailers scanner with another scanner that also stores scanned customer information on a hidden chip. Improve encryption process Ensure customers primary account # is unreadable and that the encryption key be protected from misuse and disclosure. Monitor computer system and maintain traffic logs This allows the company to see who took what data, from where, where it was sent, etc. Future intrusions will be easier to track and this improves overall security. Accelerate and improve security governance Implement improvements needed to become PCI compliant, improve access controls, audit access on a regular basis, check log files and access. Train Employees Conduct background checks on employees and train them about possibility of security breaches and how to avoid them. Security of a companys information system relies upon honesty and competency of employees.