Monday, May 13, 2013

Harvard Business Review: Case Analysis - Security Breach at TJX (908E03-PDF-ENG) from Strategic Role of IT perspective

Presenting an analysis of the HBR case  Security Breach at TJX (908E03-PDF-ENG) from Strategic Role of IT perspective. Link to the case http://hbr.org/product/a/an/908E03-PDF-ENG?cm_sp=doi-_-case-_-908E03-PDF-ENG&referral=00103 

Case Background: The chief security officer of TJX Companies Inc. (TJX) faces a dilemma on his first day on the job. The company has discovered in December 2006, a computer intrusion dating back to 2005. There is an ongoing investigation, involving the Federal Bureau of Investigation (FBI) into the attacks. The company is also in the middle of several class action law suits over losses suffered by financial institutions due to breaches of customer privacy. The chief security officer has to focus on plugging the loopholes in the company's information technology (IT)security, in the short term, and taking steps to ensure in the long term that the attack does not recur. He also had to get the management of TJX to start looking at IT security not as a technology issue but as a business issue. 

Table of Contents

Introduction

TJX is one of the largest apparel and home fashion retailer in the United States in the off-price segment. IT systems play a critical role in the value chain of large retailers by enabling them to connect with their suppliers and customers. This case analyzes the security breach that took place in TJX in the years 2005-2006, its causes and impact, and strategic recommendations.

       I.            Overview of the Business

A.     Company Background

TJX was founded in 1976 and operated eight independent businesses in the off-price segment - T.J. Maxx, Marshalls, Homegoods, A.J. Wright and Bob’s Stores in United States, Winners and Homesense in Canada and T.K. Maxx in Europe. In 2006, TJX was the market leader and the largest off-price apparel and home fashions retailer in the US. TJX ranked 138th in the Fortune 500 rankings for 2006. TJX sold branded apparel and home fashions at prices between 20 and 70% lower than department or specialty stores[1].

B.     Market segment, Products & Channels

TJX operates in the off-price retail segment and bought merchandise directly from manufacturers at wholesale prices, as well as excess goods from department and specialty stores. TJX sells branded apparel and home fashions to consumers through its 2400 stores in US, Canada and Europe. Off-price companies serve a special niche in the retail industry, capitalizing on volatility in consumer demand and mistakes made by designers and full-price retail outlets to keep their stores stocked with new low-price products[2]. It is the overruns and canceled orders due to unpredictability of the market, and the inability of designers and full-price retail stores to perfectly predict consumer demand, that create excess inventories for off-price consumption.

C.      Business strategy

TJX focuses on the “low cost” strategy in the niche off-price retail segment, operating between deep discounters selling unbranded products and specialty stores selling branded and premium products. In terms of Porter’s potential business strategy types for achieving competitive advantage, TJX occupies the right hand corner space since it operates in a niche segment with cost leadership. This business strategy heavily depends on achieving operational efficiency, vendor relationships and scale.


D.     Financial Position

Reviewing the financial statements of TJX for the year ending January 2007, TJX had a strong financial position with net sales of $17.4 billion and net income of $738 million[3]. Despite its low-price strategy, TJX generates incredibly high ROIC averaging 30% over the past decade. These high returns are due to the company's low-cost structure and solid revenue growth[4].

    II.            Porter’s Model of Five Competitive Forces:



1.      Existing Competitors

Within the off-price segment TJX is competing with Ross, Big Lots, Target, Kohl’s, Sears and DSW. While TJX dominates in the East coast market in the United States, Ross, its closest competitor, focuses on West coast markets. Big Lots (BIG) has a similar market share to Ross Stores, and operates 1400 stores in 47 states[5]. There is a high rivalry among existing firms in the off-price industry. TJX is also facing competition from online off-price retailers such as Overstock and Bluefly, which also offer designer branded goods at discounted prices and have lower operating costs as compared to TJX.

2.      Threat of Substitute Products

Since TJX does not have a brand value of its own, but relies on other branded products, there is a high threat of substitute products, in terms of clearance or outlet sales by the branded department stores themselves, which also offer huge discounts and attract the brand and price-conscious consumers that TJX targets. There is also the threat of substitute products from its competitors like Ross, Target, Sears, Overstock, Bluefly etc since there is practically no cost of switching to substitutes.

3.      Bargaining Power of Buyers

Since TJX has a large customer base and is not dependent on a single bulk buyer for its business, the bargaining power of buyers is low.

4.      Bargaining Power of Suppliers

TJX does not rely on a single source of suppliers, but sources its products in bulk from various brand manufacturers and department stores. Also, the products that TJX purchases from its suppliers are excess inventory which the suppliers are looking to dispose. Hence the bargaining power of suppliers is low.

5.      Threat of new entrants

The high growth rate of the off-price retail industry may seem to attract new entrants, however in order to successfully operate in the off-price retail industry, a company requires a huge capital investment for bulk purchases of large amounts of inventory from its vendors, good vendor relationships to ensure that the vendors sell their excess goods at a price that is profitable for the off-price retailer, a strong distribution network and geographic reach with its customers and IT systems that facilitate these connections throughout the supply chain. All these requirements serve as significant barriers to entry for new entrants and hence there is a low threat of new entrants.  

 III.            Role of IT and Strategic Grid

IT plays an important role as an enabler of business in TJX’s low-cost strategy in achieving operational effectiveness, maintaining low cost and staying competitive. IT systems and networks enable rapid transmission of data between vendors, buyers, merchandisers, store associates, customers and financial institutions such as banks and other payment gateways. In-store technologies such as kiosks and barcode scanners speed up operations and enhance customer service. Customer Relationship Management systems enable TJX to identify and target profitable customers. Based on this, IT would fall in the “Factory” quadrant of the strategic grid as it provides applications that are critical to sustaining existing business for daily operations, but would not have a high impact on its core strategy of selling off-price products.


  IV.            Description and Brief Discussion of the Issue

On Dec 18, 2006 TJX learned of a security breach and intrusion on their computer system. The systems that were broken into were based in Framingham and processed and stored information related to payment cards, checks and merchandise returned without receipts[6]. TJX started the internal investigation immediately and hired security consultants – General Dynamics corporation and IBM. TJX then notified law enforcement officials and financial institutions such as contracting banks, credit and debit card companies and cheque-processing companies of the intrusion. On US Secret Service’s advice, TJX did not disclose the security breach to the public until February 21, 2007. The data breach affected its customers in the U.S. and Puerto Rico, Canada and U.K, but TJX could not specify the amount of data that had been breached. The security breach exposed multiple vulnerabilities in the IT networks, systems and processes at TJX which are described below:

A.     Inadequate wireless network security

TJX was using a weak WEP (Wireless Equivalent Privacy) security protocol for its wireless networks within the stores, which can be cracked in under a minute. WEP does not satisfy industry standards that require the use of the much stronger WPA (Wi-Fi Protected Access) protocol[7]. The hackers had exploited the wireless network at a Marshall’s store to gain access to the central database.

B.     Lack of in-store physical security of assets

According to Information week, the hackers had opened up the in-store kiosks and used USB drives to load the software onto those terminals and turned them into remote terminals that connected to TJX’s networks. This brings forth the issue of negligence, lack of monitoring and securing physical in-store IT assets.

C.      Lack of firewalls

The fact that hackers were able to gain access to TJX’s main network through tampered in-store kiosks, brings forth the issue of lack of firewalls to defend against traffic coming from the kiosks.

D.     Lack of data encryption during transmission

TJX was transmitting data to its payment card issuers without encryption which was easy to intercept. Also, TJX had stated in its public statement that the hackers had access to the decryption tool for the encryption software used by TJX.

E.      Violation of PCI standards

PCI Data Security Standard 3.2 clearly states that after payment authorization is received, a merchant is not to store sensitive data, such as the CVC, PIN, or full-track information[8]. TJX’s customer records appear to have included the card-validation code (CVC) number and the personal identification numbers (PIN) associated with the customer cards.
PCI requirements essentially put the onus of adhering to its standards on the company for Level 2 and 3 companies with an annual self-assessment questionnaire and quarterly scans by an approved vendor. This is easy to violate as the network scans are typically done through automated scans by Mcafee and only of the networks that are specified by the company. It does not include a scan of the database to check for unencrypted data. TJX was in violation of PCI standards by retaining unencrypted data.
When I was working as project manager for ChemistDirect.co.uk, which is an e-commerce website, we performed monthly audits to ensure PCI compliance, especially for the master and slave databases that contained customer information. Before the data privacy act in UK, e-commerce websites would store the customer’s credit card and CVC number. So our database contained this information for some old customers. As per the data privacy act and PCI standards, e-commerce websites can now only store the last 4 digits of the customer’s credit card. So this old credit card information had to be manually deleted from the database. This would not have been found by an automated network scan.  Hence, it is the responsibility of the company to protect its customer’s data.

F.      Lack of regular audits

TJX did not have regular internal or external security or network audits in place; this could have been the cause of not detecting the security breach for almost 18 months. TJX performed an annual self-assessment for PCI compliance and were in violation. It also did not have a risk migitation and management strategy in place.

G.     Lack of processing logs

TJX did not have processing logs on its systems that were necessary to perform a forensic analysis of the system such as when it was accessed, what files were added, changed or deleted, etc., which is very important when processing millions of transactions.

     V.            MOT Triangle

TJX’s business strategy (mission) is to be a global, off-price value company by building their businesses gradually and providing a secure foundation and strong infrastructure[9]. In terms of information strategy, TJX had the necessary IT systems in place to enable the business through networks that enable vendor relationship management and CRM systems that helped target profitable customers. TJX also effectively implemented barcode scanners and kiosks to speed up business operations. However, its organizational strategy is not in-line with its business strategy of providing a secure foundation. There is a clear lack of ownership and authority in terms of IT network and systems security. There are no business processes defined for monitoring and regular internal audits. There are no incentives or rewards for identifying or reporting security issues internally. The company’s culture is working towards growing their business through focus on low-cost but not necessarily a secure infrastructure. Hence, the MOT triangle depicted below is uneven.

  VI.            Recommendations

To align the organizational strategy with the business strategy and information strategy, the management at TJX will need to seriously focus on establishing an IT governance, risk mitigation and management strategy. The action plan for the immediate future must be to contain the security breach and implement steps to fix the vulnerabilities. First and foremost, TJX must upgrade its network security protocol to WPA at all of its store locations. TJX must also secure its physical assets to ensure that they cannot be tampered. They must be located near security cameras or store registers to ensure constant vigilance. TJX should implement firewalls to control access of kiosks to the system. TJX should look at implementing a three-tier architecture where the database layer is completely separated from the application layer to which the kiosks have access. TJX should also use a strong encryption algorithm such as MD5 (Message Digest 5) or AES (Advanced Encryption Standard) to store and transmit any information. It should also not store any customer data that is not required or against PCI standards. TJX must ensure that process and access logs are maintained at each and every system.
At an organizational level, TJX should create formal procedures for risk management and use a RACI (Responsible, Accountable, Consulted and Informed) matrix to assign key responsibilities such as network security scans and upgrades, internal PCI audits, firewall scans and ensure that these activities are carried out as planned. TJX should also look at having independent IT security audits on a quarterly basis. An effective risk management process will provide reduced cost of operations, predictability, transparency and confidence, avoidance of security breaches, and enhanced capabilities[10]. There should be training conducted throughout the organization to increase awareness about the importance of basic IT security measures such as not sharing passwords or leaving computer systems unlocked, to prevent internal security breaches. Management should promote employee rewards for exposing IT systems or network vulnerabilities. At Accenture where I worked, each project team has a “security monitor” who is in charge of reporting non-compliance to policies such as internal password exchanges or leaving work computers or laptops unlocked. TJX management must drive the organizational strategy for a secured IT framework to meet its strategic goals.




[1] Chandrasekhar, R., & Haggerty, N. (2008, March 12). Secuirty Breach at TJX. Harvard Business Review, 1. Retrieved from 908E03
[2] Industry:Off-price Retail. (n.d.). WikiInvest. Retrieved February 2, 2013, from http://www.wikinvest.com/industry/Off-price_Retail
[3] TJX Annual report 2006. (2007, January). TJX Annual report 2006. Retrieved February 2, 2013, from http://www.tjx.com/investor_annualreports.asp
[4] TJX Companies Inc.: Riding The Consumer Value Wave - Seeking Alpha. (2011, December 9). Seeking Alpha - Stock Market News & Financial Analysis. Retrieved February 2, 2013, from http://seekingalpha.com/article/312877-tjx-companies-inc-riding-the-consumer-value-wave
[5] Industry:Off-price Retail. (n.d.). WikiInvest. Retrieved February 3, 2013, from http://www.wikinvest.com/industry/Off-price_Retail
[6] Vijayan, J. (2007, March 29). TJX data breach: At 45.6M card numbers, it's the biggest ever - Computerworld. Computerworld - IT news, features, blogs, tech reviews, career advice. Retrieved February 3, 2013, from http://www.computerworld.com/s/article/9014782/TJX_data_breach_At_45.6M_card_numbers_it_s_the_biggest_ever
[7] Berg, G., Freeman, M., & Schneider, K. (2008, August). Analyzing the TJ Maxx Data Security Fiasco. NYSSCPA.ORG | The Web Site of the New York State Society of CPAs. Retrieved February 3, 2013, from http://www.nysscpa.org/cpajournal/2008/808/essentials/p34.htm
[8] Berg, G., Freeman, M., & Schneider, K. (2008, August). Analyzing the TJ Maxx Data Security Fiasco. NYSSCPA.ORG | The Web Site of the New York State Society of CPAs. Retrieved February 3, 2013, from http://www.nysscpa.org/cpajournal/2008/808/essentials/p34.htm
[9] Our Businesses. (n.d.). Welcome to The TJX Companies, Inc. Retrieved February 2, 2013, from http://www.tjx.com/businesses.asp
[10] Building confidence in IT Programs. (2011, September). Ernst & Young - Global. Retrieved February 4, 2013, from http://www.ey.com/Publication/vwLUAssets/Building_confidence_in_IT_programmes_through_programme_risk_management/$FILE/Insights_IT_Building_confidence_in_IT_programs.pdf



8 comments:

  1. I’d end up being mendacity if i stated i do not such as this post, in truth, I like this a great deal I needed to place up a discuss here. I must state maintain the good work, and I will probably be coming again with regard to good since i have currently bookmarked the web page. supplier quality control

    ReplyDelete
  2. Great survey, I'm sure you're getting a great response. best travel laptops in 2019

    ReplyDelete
  3. It’s really great information for becoming a better Blogger. Keep sharing, Thanks. For more details to visit SJ Business Associates.

    ReplyDelete
  4. What is the best choice for the company who can't find a single software solution that addresses all its needs? Bespoke application development can become the way out of the situation when available products don't fit companies need for any reasons. Let's explore the bespoke software advantages and disadvantages and see if it worth for enterprises to step into this area. spy phone app

    ReplyDelete
  5. The popularity of clean technology is rapidly growing: people are realizing that by being eco-friendly and applying these principles to their companies, they are able to deliver quality products and services, while promoting the protection of the planet, its natural resources and the importance behind these efforts. As technology continues to evolve and adapt to our needs, many agree that clean technology is tomorrow's technology. mobile tracker free

    ReplyDelete
  6. The word "Technology" is soon to vanish. Its place shall be occupied by "Green Technology". Green technology may be costlier to implement as all R&D projects are but in the long run it shall be cheaper in all respect. Cutting down on costlier raw material consumption and recycling zero cost waste as raw material will certainly make green products cost friendly and help to carve a better world to live. We are on a faster track so is the march of green technology. phone app to spy camera

    ReplyDelete
  7. When you hear the term "anti gravity technology," many people conjure up images of Buck Rogers and the Jetsons flying around the sky. Or perhaps you think of NASA and the space program, with the astronauts learning how to deal with zero gravity on the moon? Anti gravity technology is not a science of the future, however. It's something that we can benefit from right now. Tegan

    ReplyDelete
  8. Utilizing technology as a competitive weapon allows you to differentiate from your competitors in the marketplace. Technology helps profits to increase, by reducing expenses and errors, while customers are delighted with product and 'wowed' by service, sharing its benefit with others. free xmind alternative

    ReplyDelete