Monday, May 13, 2013

Harvard Business Review: Case Analysis - Security Breach at TJX (908E03-PDF-ENG) from Strategic Role of IT perspective

Presenting an analysis of the HBR case  Security Breach at TJX (908E03-PDF-ENG) from Strategic Role of IT perspective. Link to the case http://hbr.org/product/a/an/908E03-PDF-ENG?cm_sp=doi-_-case-_-908E03-PDF-ENG&referral=00103 

Case Background: The chief security officer of TJX Companies Inc. (TJX) faces a dilemma on his first day on the job. The company has discovered in December 2006, a computer intrusion dating back to 2005. There is an ongoing investigation, involving the Federal Bureau of Investigation (FBI) into the attacks. The company is also in the middle of several class action law suits over losses suffered by financial institutions due to breaches of customer privacy. The chief security officer has to focus on plugging the loopholes in the company's information technology (IT)security, in the short term, and taking steps to ensure in the long term that the attack does not recur. He also had to get the management of TJX to start looking at IT security not as a technology issue but as a business issue. 

Table of Contents

Introduction

TJX is one of the largest apparel and home fashion retailer in the United States in the off-price segment. IT systems play a critical role in the value chain of large retailers by enabling them to connect with their suppliers and customers. This case analyzes the security breach that took place in TJX in the years 2005-2006, its causes and impact, and strategic recommendations.

       I.            Overview of the Business

A.     Company Background

TJX was founded in 1976 and operated eight independent businesses in the off-price segment - T.J. Maxx, Marshalls, Homegoods, A.J. Wright and Bob’s Stores in United States, Winners and Homesense in Canada and T.K. Maxx in Europe. In 2006, TJX was the market leader and the largest off-price apparel and home fashions retailer in the US. TJX ranked 138th in the Fortune 500 rankings for 2006. TJX sold branded apparel and home fashions at prices between 20 and 70% lower than department or specialty stores[1].

B.     Market segment, Products & Channels

TJX operates in the off-price retail segment and bought merchandise directly from manufacturers at wholesale prices, as well as excess goods from department and specialty stores. TJX sells branded apparel and home fashions to consumers through its 2400 stores in US, Canada and Europe. Off-price companies serve a special niche in the retail industry, capitalizing on volatility in consumer demand and mistakes made by designers and full-price retail outlets to keep their stores stocked with new low-price products[2]. It is the overruns and canceled orders due to unpredictability of the market, and the inability of designers and full-price retail stores to perfectly predict consumer demand, that create excess inventories for off-price consumption.

C.      Business strategy

TJX focuses on the “low cost” strategy in the niche off-price retail segment, operating between deep discounters selling unbranded products and specialty stores selling branded and premium products. In terms of Porter’s potential business strategy types for achieving competitive advantage, TJX occupies the right hand corner space since it operates in a niche segment with cost leadership. This business strategy heavily depends on achieving operational efficiency, vendor relationships and scale.


D.     Financial Position

Reviewing the financial statements of TJX for the year ending January 2007, TJX had a strong financial position with net sales of $17.4 billion and net income of $738 million[3]. Despite its low-price strategy, TJX generates incredibly high ROIC averaging 30% over the past decade. These high returns are due to the company's low-cost structure and solid revenue growth[4].

    II.            Porter’s Model of Five Competitive Forces:



1.      Existing Competitors

Within the off-price segment TJX is competing with Ross, Big Lots, Target, Kohl’s, Sears and DSW. While TJX dominates in the East coast market in the United States, Ross, its closest competitor, focuses on West coast markets. Big Lots (BIG) has a similar market share to Ross Stores, and operates 1400 stores in 47 states[5]. There is a high rivalry among existing firms in the off-price industry. TJX is also facing competition from online off-price retailers such as Overstock and Bluefly, which also offer designer branded goods at discounted prices and have lower operating costs as compared to TJX.

2.      Threat of Substitute Products

Since TJX does not have a brand value of its own, but relies on other branded products, there is a high threat of substitute products, in terms of clearance or outlet sales by the branded department stores themselves, which also offer huge discounts and attract the brand and price-conscious consumers that TJX targets. There is also the threat of substitute products from its competitors like Ross, Target, Sears, Overstock, Bluefly etc since there is practically no cost of switching to substitutes.

3.      Bargaining Power of Buyers

Since TJX has a large customer base and is not dependent on a single bulk buyer for its business, the bargaining power of buyers is low.

4.      Bargaining Power of Suppliers

TJX does not rely on a single source of suppliers, but sources its products in bulk from various brand manufacturers and department stores. Also, the products that TJX purchases from its suppliers are excess inventory which the suppliers are looking to dispose. Hence the bargaining power of suppliers is low.

5.      Threat of new entrants

The high growth rate of the off-price retail industry may seem to attract new entrants, however in order to successfully operate in the off-price retail industry, a company requires a huge capital investment for bulk purchases of large amounts of inventory from its vendors, good vendor relationships to ensure that the vendors sell their excess goods at a price that is profitable for the off-price retailer, a strong distribution network and geographic reach with its customers and IT systems that facilitate these connections throughout the supply chain. All these requirements serve as significant barriers to entry for new entrants and hence there is a low threat of new entrants.  

 III.            Role of IT and Strategic Grid

IT plays an important role as an enabler of business in TJX’s low-cost strategy in achieving operational effectiveness, maintaining low cost and staying competitive. IT systems and networks enable rapid transmission of data between vendors, buyers, merchandisers, store associates, customers and financial institutions such as banks and other payment gateways. In-store technologies such as kiosks and barcode scanners speed up operations and enhance customer service. Customer Relationship Management systems enable TJX to identify and target profitable customers. Based on this, IT would fall in the “Factory” quadrant of the strategic grid as it provides applications that are critical to sustaining existing business for daily operations, but would not have a high impact on its core strategy of selling off-price products.


  IV.            Description and Brief Discussion of the Issue

On Dec 18, 2006 TJX learned of a security breach and intrusion on their computer system. The systems that were broken into were based in Framingham and processed and stored information related to payment cards, checks and merchandise returned without receipts[6]. TJX started the internal investigation immediately and hired security consultants – General Dynamics corporation and IBM. TJX then notified law enforcement officials and financial institutions such as contracting banks, credit and debit card companies and cheque-processing companies of the intrusion. On US Secret Service’s advice, TJX did not disclose the security breach to the public until February 21, 2007. The data breach affected its customers in the U.S. and Puerto Rico, Canada and U.K, but TJX could not specify the amount of data that had been breached. The security breach exposed multiple vulnerabilities in the IT networks, systems and processes at TJX which are described below:

A.     Inadequate wireless network security

TJX was using a weak WEP (Wireless Equivalent Privacy) security protocol for its wireless networks within the stores, which can be cracked in under a minute. WEP does not satisfy industry standards that require the use of the much stronger WPA (Wi-Fi Protected Access) protocol[7]. The hackers had exploited the wireless network at a Marshall’s store to gain access to the central database.

B.     Lack of in-store physical security of assets

According to Information week, the hackers had opened up the in-store kiosks and used USB drives to load the software onto those terminals and turned them into remote terminals that connected to TJX’s networks. This brings forth the issue of negligence, lack of monitoring and securing physical in-store IT assets.

C.      Lack of firewalls

The fact that hackers were able to gain access to TJX’s main network through tampered in-store kiosks, brings forth the issue of lack of firewalls to defend against traffic coming from the kiosks.

D.     Lack of data encryption during transmission

TJX was transmitting data to its payment card issuers without encryption which was easy to intercept. Also, TJX had stated in its public statement that the hackers had access to the decryption tool for the encryption software used by TJX.

E.      Violation of PCI standards

PCI Data Security Standard 3.2 clearly states that after payment authorization is received, a merchant is not to store sensitive data, such as the CVC, PIN, or full-track information[8]. TJX’s customer records appear to have included the card-validation code (CVC) number and the personal identification numbers (PIN) associated with the customer cards.
PCI requirements essentially put the onus of adhering to its standards on the company for Level 2 and 3 companies with an annual self-assessment questionnaire and quarterly scans by an approved vendor. This is easy to violate as the network scans are typically done through automated scans by Mcafee and only of the networks that are specified by the company. It does not include a scan of the database to check for unencrypted data. TJX was in violation of PCI standards by retaining unencrypted data.
When I was working as project manager for ChemistDirect.co.uk, which is an e-commerce website, we performed monthly audits to ensure PCI compliance, especially for the master and slave databases that contained customer information. Before the data privacy act in UK, e-commerce websites would store the customer’s credit card and CVC number. So our database contained this information for some old customers. As per the data privacy act and PCI standards, e-commerce websites can now only store the last 4 digits of the customer’s credit card. So this old credit card information had to be manually deleted from the database. This would not have been found by an automated network scan.  Hence, it is the responsibility of the company to protect its customer’s data.

F.      Lack of regular audits

TJX did not have regular internal or external security or network audits in place; this could have been the cause of not detecting the security breach for almost 18 months. TJX performed an annual self-assessment for PCI compliance and were in violation. It also did not have a risk migitation and management strategy in place.

G.     Lack of processing logs

TJX did not have processing logs on its systems that were necessary to perform a forensic analysis of the system such as when it was accessed, what files were added, changed or deleted, etc., which is very important when processing millions of transactions.

     V.            MOT Triangle

TJX’s business strategy (mission) is to be a global, off-price value company by building their businesses gradually and providing a secure foundation and strong infrastructure[9]. In terms of information strategy, TJX had the necessary IT systems in place to enable the business through networks that enable vendor relationship management and CRM systems that helped target profitable customers. TJX also effectively implemented barcode scanners and kiosks to speed up business operations. However, its organizational strategy is not in-line with its business strategy of providing a secure foundation. There is a clear lack of ownership and authority in terms of IT network and systems security. There are no business processes defined for monitoring and regular internal audits. There are no incentives or rewards for identifying or reporting security issues internally. The company’s culture is working towards growing their business through focus on low-cost but not necessarily a secure infrastructure. Hence, the MOT triangle depicted below is uneven.

  VI.            Recommendations

To align the organizational strategy with the business strategy and information strategy, the management at TJX will need to seriously focus on establishing an IT governance, risk mitigation and management strategy. The action plan for the immediate future must be to contain the security breach and implement steps to fix the vulnerabilities. First and foremost, TJX must upgrade its network security protocol to WPA at all of its store locations. TJX must also secure its physical assets to ensure that they cannot be tampered. They must be located near security cameras or store registers to ensure constant vigilance. TJX should implement firewalls to control access of kiosks to the system. TJX should look at implementing a three-tier architecture where the database layer is completely separated from the application layer to which the kiosks have access. TJX should also use a strong encryption algorithm such as MD5 (Message Digest 5) or AES (Advanced Encryption Standard) to store and transmit any information. It should also not store any customer data that is not required or against PCI standards. TJX must ensure that process and access logs are maintained at each and every system.
At an organizational level, TJX should create formal procedures for risk management and use a RACI (Responsible, Accountable, Consulted and Informed) matrix to assign key responsibilities such as network security scans and upgrades, internal PCI audits, firewall scans and ensure that these activities are carried out as planned. TJX should also look at having independent IT security audits on a quarterly basis. An effective risk management process will provide reduced cost of operations, predictability, transparency and confidence, avoidance of security breaches, and enhanced capabilities[10]. There should be training conducted throughout the organization to increase awareness about the importance of basic IT security measures such as not sharing passwords or leaving computer systems unlocked, to prevent internal security breaches. Management should promote employee rewards for exposing IT systems or network vulnerabilities. At Accenture where I worked, each project team has a “security monitor” who is in charge of reporting non-compliance to policies such as internal password exchanges or leaving work computers or laptops unlocked. TJX management must drive the organizational strategy for a secured IT framework to meet its strategic goals.




[1] Chandrasekhar, R., & Haggerty, N. (2008, March 12). Secuirty Breach at TJX. Harvard Business Review, 1. Retrieved from 908E03
[2] Industry:Off-price Retail. (n.d.). WikiInvest. Retrieved February 2, 2013, from http://www.wikinvest.com/industry/Off-price_Retail
[3] TJX Annual report 2006. (2007, January). TJX Annual report 2006. Retrieved February 2, 2013, from http://www.tjx.com/investor_annualreports.asp
[4] TJX Companies Inc.: Riding The Consumer Value Wave - Seeking Alpha. (2011, December 9). Seeking Alpha - Stock Market News & Financial Analysis. Retrieved February 2, 2013, from http://seekingalpha.com/article/312877-tjx-companies-inc-riding-the-consumer-value-wave
[5] Industry:Off-price Retail. (n.d.). WikiInvest. Retrieved February 3, 2013, from http://www.wikinvest.com/industry/Off-price_Retail
[6] Vijayan, J. (2007, March 29). TJX data breach: At 45.6M card numbers, it's the biggest ever - Computerworld. Computerworld - IT news, features, blogs, tech reviews, career advice. Retrieved February 3, 2013, from http://www.computerworld.com/s/article/9014782/TJX_data_breach_At_45.6M_card_numbers_it_s_the_biggest_ever
[7] Berg, G., Freeman, M., & Schneider, K. (2008, August). Analyzing the TJ Maxx Data Security Fiasco. NYSSCPA.ORG | The Web Site of the New York State Society of CPAs. Retrieved February 3, 2013, from http://www.nysscpa.org/cpajournal/2008/808/essentials/p34.htm
[8] Berg, G., Freeman, M., & Schneider, K. (2008, August). Analyzing the TJ Maxx Data Security Fiasco. NYSSCPA.ORG | The Web Site of the New York State Society of CPAs. Retrieved February 3, 2013, from http://www.nysscpa.org/cpajournal/2008/808/essentials/p34.htm
[9] Our Businesses. (n.d.). Welcome to The TJX Companies, Inc. Retrieved February 2, 2013, from http://www.tjx.com/businesses.asp
[10] Building confidence in IT Programs. (2011, September). Ernst & Young - Global. Retrieved February 4, 2013, from http://www.ey.com/Publication/vwLUAssets/Building_confidence_in_IT_programmes_through_programme_risk_management/$FILE/Insights_IT_Building_confidence_in_IT_programs.pdf



4 comments:

  1. The PMP Certification establishes a common language among project managers and helps each other work within a common framework. Once you have the PMP, you need to consider how you're applying the processes, tools, and techniques to projects. I took a training course for my preparation in http://www.pmstudy.com and got ready for the exam on day 5!

    ReplyDelete
  2. Problem: HP Printer not connecting to my laptop.

    I had an issue while connecting my 2 year old HP printer to my brother's laptop that I had borrowed for starting my own business. I used a quick google search to fix the problem but that did not help me.
    I then decided to get professional help to solve my problem. After having received many quotations from various companies, i decided to go ahead with Online Tech Repair (www.onlinetechrepairs.com).
    Reasons I chose them over the others:
    1) They were extremely friendly and patient with me during my initial discussions and responded promptly to my request.
    2) Their prices were extremely reasonable.
    3) They were ready and willing to walk me through the entire process step by step and were on call with me till i got it fixed.
    How did they do it
    1) They first asked me to state my problem clearly and asked me a few questions. This was done to detect any physical connectivity issues with the printer.
    2) After having answered this, they confirmed that the printer and the laptop were functioning correctly.
    3) They then, asked me if they could access my laptop remotely to troubleshoot the problem and fix it. I agreed.
    4) One of the tech support executives accessed my laptop and started troubleshooting.
    5) I sat back and watched as the tech support executive was navigating my laptop to spot the issue. The issue was fixed.
    6) I was told that it was due to an older version of the driver that had been installed.

    My Experience
    I loved the entire friendly conversation that took place with them. They understood my needs clearly and acted upon the solution immediately. Being a technical noob, i sometimes find it difficult to communicate with tech support teams. It was a very different experience with the guys at Online Tech Repairs. You can check out their website www.onlinetechrepairs.com or call them on 1-914-613-3786.
    Would definitely recommend this service to anyone who needs help fixing their computers.
    Thanks a ton guys. Great Job....!!

    ReplyDelete
  3. VIRUS REMOVAL

    Is Your Computer Sluggish or Plagued With a Virus? – If So you Need Online Tech Repairs
    As a leader in online computer repair, Online Tech Repairs Inc has the experience to deliver professional system optimization and virus removal.Headquartered in Great Neck, New York our certified technicians have been providing online computer repair and virus removal for customers around the world since 2004.
    Our three step system is easy to use; and provides you a safe, unobtrusive, and cost effective alternative to your computer service needs. By using state-of-the-art technology our computer experts can diagnose, and repair your computer system through the internet, no matter where you are.
    Our technician will guide you through the installation of Online Tech Repair Inc secure software. This software allows your dedicated computer expert to see and operate your computer just as if he was in the room with you. That means you don't have to unplug everything and bring it to our shop, or have a stranger tramping through your home.
    From our remote location the Online Tech Repairs.com expert can handle any computer issue you want addressed, like:
    • - System Optimization
    • - How it works Software Installations or Upgrades
    • - How it works Virus Removal
    • - How it works Home Network Set-ups
    Just to name a few.
    If you are unsure of what the problem may be, that is okay. We can run a complete diagnostic on your system and fix the problems we encounter. When we are done our software is removed; leaving you with a safe, secure and properly functioning system. The whole process usually takes less than an hour. You probably couldn't even get your computer to your local repair shop that fast!
    Call us now for a FREE COMPUTER DIAGONISTIC using DISCOUNT CODE (otr214426@gmail.com) on +1-914-613-3786 or chat with us on www.onlinetechrepairs.com.



    ReplyDelete
  4. I’d end up being mendacity if i stated i do not such as this post, in truth, I like this a great deal I needed to place up a discuss here. I must state maintain the good work, and I will probably be coming again with regard to good since i have currently bookmarked the web page. supplier quality control

    ReplyDelete