Presenting an analysis of the HBR case Security Breach at TJX (908E03-PDF-ENG) from Strategic Role of IT perspective. Link to the case http://hbr.org/product/a/an/908E03-PDF-ENG?cm_sp=doi-_-case-_-908E03-PDF-ENG&referral=00103
Case Background: The chief security officer of TJX Companies Inc. (TJX) faces a dilemma on his first day on the job. The company has discovered in December 2006, a computer intrusion dating back to 2005. There is an ongoing investigation, involving the Federal Bureau of Investigation (FBI) into the attacks. The company is also in the middle of several class action law suits over losses suffered by financial institutions due to breaches of customer privacy. The chief security officer has to focus on plugging the loopholes in the company's information technology (IT)security, in the short term, and taking steps to ensure in the long term that the attack does not recur. He also had to get the management of TJX to start looking at IT security not as a technology issue but as a business issue.
Table of
Contents
Introduction
TJX is one of the largest apparel and home fashion
retailer in the United States in the off-price segment. IT systems play a
critical role in the value chain of large retailers by enabling them to connect
with their suppliers and customers. This case analyzes the security breach that
took place in TJX in the years 2005-2006, its causes and impact, and strategic
recommendations.
I.
Overview of the Business
A. Company
Background
TJX was founded in 1976 and operated eight
independent businesses in the off-price segment - T.J. Maxx, Marshalls,
Homegoods, A.J. Wright and Bob’s Stores in United States, Winners and Homesense
in Canada and T.K. Maxx in Europe. In 2006, TJX was the market leader and the largest
off-price apparel and home fashions retailer in the US. TJX ranked 138th
in the Fortune 500 rankings for 2006. TJX sold branded apparel and home
fashions at prices between 20 and 70% lower than department or specialty stores[1].
B. Market
segment, Products & Channels
TJX operates in the
off-price retail segment and bought merchandise directly from manufacturers at
wholesale prices, as well as excess goods from department and specialty stores.
TJX sells branded apparel and home fashions to consumers through its 2400
stores in US, Canada and Europe. Off-price companies serve a special niche in
the retail industry, capitalizing on volatility in consumer demand
and mistakes made by designers and full-price retail outlets to keep their
stores stocked with new low-price products[2].
It is the overruns and canceled orders due to unpredictability of the market,
and the inability of designers and full-price retail stores to perfectly
predict consumer demand, that create excess inventories for off-price
consumption.
C. Business
strategy
TJX focuses on the “low cost” strategy in the niche
off-price retail segment, operating between deep discounters selling unbranded
products and specialty stores selling branded and premium products. In terms of
Porter’s potential business strategy types for achieving competitive advantage,
TJX occupies the right hand corner space since it operates in a niche segment
with cost leadership. This business strategy heavily depends on achieving
operational efficiency, vendor relationships and scale.
D. Financial
Position
Reviewing the financial statements of TJX for the
year ending January 2007, TJX had a strong financial position with net sales of
$17.4 billion and net income of $738 million[3]. Despite
its low-price strategy, TJX generates incredibly high ROIC averaging 30% over
the past decade. These high returns are due to the company's low-cost structure
and solid revenue growth[4].
II.
Porter’s Model of Five Competitive Forces:
1.
Existing Competitors
Within the off-price segment TJX is competing with
Ross, Big Lots, Target, Kohl’s, Sears and DSW. While TJX dominates in the East
coast market in the United States, Ross, its closest competitor, focuses on
West coast markets. Big Lots (BIG) has a similar market share to Ross Stores,
and operates 1400 stores in 47 states[5].
There is a high rivalry among existing firms in the off-price industry. TJX is
also facing competition from online off-price retailers such as Overstock and
Bluefly, which also offer designer branded goods at discounted prices and have
lower operating costs as compared to TJX.
2.
Threat of Substitute Products
Since TJX does not
have a brand value of its own, but relies on other branded products, there is a
high threat of substitute products, in terms of clearance or outlet sales by
the branded department stores themselves, which also offer huge discounts and attract
the brand and price-conscious consumers that TJX targets. There is also the
threat of substitute products from its competitors like Ross, Target, Sears,
Overstock, Bluefly etc since there is practically no cost of switching to
substitutes.
3.
Bargaining Power of Buyers
Since TJX has a large
customer base and is not dependent on a single bulk buyer for its business, the
bargaining power of buyers is low.
4.
Bargaining Power of Suppliers
TJX does not rely on
a single source of suppliers, but sources its products in bulk from various
brand manufacturers and department stores. Also, the products that TJX
purchases from its suppliers are excess inventory which the suppliers are looking
to dispose. Hence the bargaining power of suppliers is low.
5.
Threat of new entrants
The high growth rate
of the off-price retail industry may seem to attract new entrants, however in
order to successfully operate in the off-price retail industry, a company
requires a huge capital investment for bulk purchases of large amounts of
inventory from its vendors, good vendor relationships to ensure that the
vendors sell their excess goods at a price that is profitable for the off-price
retailer, a strong distribution network and geographic reach with its customers
and IT systems that facilitate these connections throughout the supply chain. All
these requirements serve as significant barriers to entry for new entrants and
hence there is a low threat of new entrants.
III.
Role of IT and Strategic Grid
IT plays an
important role as an enabler of business in TJX’s low-cost strategy in
achieving operational effectiveness, maintaining low cost and staying
competitive. IT systems and networks enable rapid transmission of data between
vendors, buyers, merchandisers, store associates, customers and financial institutions
such as banks and other payment gateways. In-store technologies such as kiosks
and barcode scanners speed up operations and enhance customer service. Customer
Relationship Management systems enable TJX to identify and target profitable
customers. Based on this, IT would fall in the “Factory” quadrant of the
strategic grid as it provides applications that are critical to sustaining
existing business for daily operations, but would not have a high impact on its
core strategy of selling off-price products.
IV.
Description and Brief Discussion of the Issue
On Dec 18, 2006 TJX learned of a security breach and
intrusion on their computer system. The systems that were broken into were
based in Framingham and processed and stored information related to payment
cards, checks and merchandise returned without receipts[6]. TJX
started the internal investigation immediately and hired security consultants –
General Dynamics corporation and IBM. TJX then notified law enforcement
officials and financial institutions such as contracting banks, credit and
debit card companies and cheque-processing companies of the intrusion. On US
Secret Service’s advice, TJX did not disclose the security breach to the public
until February 21, 2007. The data breach affected its customers in the U.S. and
Puerto Rico, Canada and U.K, but TJX could not specify the amount of data that
had been breached. The
security breach exposed multiple vulnerabilities in the IT networks, systems and
processes at TJX which are described below:
A. Inadequate
wireless network security
TJX was using a weak WEP (Wireless Equivalent
Privacy) security protocol for its wireless networks within the stores, which
can be cracked in under a minute. WEP does not satisfy industry standards that
require the use of the much stronger WPA (Wi-Fi Protected Access) protocol[7]. The
hackers had exploited the wireless network at a Marshall’s store to gain access
to the central database.
B. Lack
of in-store physical security of assets
According to Information week, the hackers had
opened up the in-store kiosks and used USB drives to load the software onto
those terminals and turned them into remote terminals that connected to TJX’s
networks. This brings forth the issue of negligence, lack of monitoring and
securing physical in-store IT assets.
C. Lack
of firewalls
The fact that hackers were able to gain access to
TJX’s main network through tampered in-store kiosks, brings forth the issue of
lack of firewalls to defend against traffic coming from the kiosks.
D. Lack
of data encryption during transmission
TJX was transmitting data to its payment card
issuers without encryption which was easy to intercept. Also, TJX had stated in
its public statement that the hackers had access to the decryption tool for the
encryption software used by TJX.
E. Violation
of PCI standards
PCI Data Security Standard 3.2 clearly states that
after payment authorization is received, a merchant is not to store sensitive
data, such as the CVC, PIN, or full-track information[8]. TJX’s
customer records appear to have included the card-validation code (CVC) number
and the personal identification numbers (PIN) associated with the customer
cards.
PCI requirements essentially put the onus of
adhering to its standards on the company for Level 2 and 3 companies with an
annual self-assessment questionnaire and quarterly scans by an approved vendor.
This is easy to violate as the network scans are typically done through
automated scans by Mcafee and only of the networks that are specified by the
company. It does not include a scan of the database to check for unencrypted
data. TJX was in violation of PCI standards by retaining unencrypted data.
When I was working as project manager for
ChemistDirect.co.uk, which is an e-commerce website, we performed monthly
audits to ensure PCI compliance, especially for the master and slave databases
that contained customer information. Before the data privacy act in UK,
e-commerce websites would store the customer’s credit card and CVC number. So
our database contained this information for some old customers. As per the data
privacy act and PCI standards, e-commerce websites can now only store the last
4 digits of the customer’s credit card. So this old credit card information had
to be manually deleted from the database. This would not have been found by an
automated network scan. Hence, it is the
responsibility of the company to protect its customer’s data.
F. Lack
of regular audits
TJX did not have regular internal or external security
or network audits in place; this could have been the cause of not detecting the
security breach for almost 18 months. TJX performed an annual self-assessment
for PCI compliance and were in violation. It also did not have a risk
migitation and management strategy in place.
G. Lack
of processing logs
TJX did not have processing logs on its systems that
were necessary to perform a forensic analysis of the system such as when it was
accessed, what files were added, changed or deleted, etc., which is very
important when processing millions of transactions.
V.
MOT Triangle
TJX’s business
strategy (mission) is to be a global, off-price value company by building
their businesses gradually and providing a secure foundation and strong
infrastructure[9]. In terms of information strategy, TJX had the
necessary IT systems in place to enable the business through networks that
enable vendor relationship management and CRM systems that helped target
profitable customers. TJX also effectively implemented barcode scanners and
kiosks to speed up business operations. However, its organizational strategy is
not in-line with its business strategy of providing a secure foundation. There
is a clear lack of ownership and authority in terms of IT network and systems
security. There are no business processes defined for monitoring and regular
internal audits. There are no incentives or rewards for identifying or
reporting security issues internally. The company’s culture is working towards
growing their business through focus on low-cost but not necessarily a secure
infrastructure. Hence, the MOT triangle depicted below is uneven.
VI.
Recommendations
To align the
organizational strategy with the business strategy and information strategy,
the management at TJX will need to seriously focus on establishing an IT governance,
risk mitigation and management strategy. The action plan for the immediate
future must be to contain the security breach and implement steps to fix the
vulnerabilities. First and foremost, TJX must upgrade its network security
protocol to WPA at all of its store locations. TJX must also secure its
physical assets to ensure that they cannot be tampered. They must be located
near security cameras or store registers to ensure constant vigilance. TJX
should implement firewalls to control access of kiosks to the system. TJX should
look at implementing a three-tier architecture where the database layer is
completely separated from the application layer to which the kiosks have
access. TJX should also use a strong encryption algorithm such as MD5 (Message
Digest 5) or AES (Advanced Encryption Standard) to store and transmit any
information. It should also not store any customer data that is not required or
against PCI standards. TJX must ensure that process and access logs are
maintained at each and every system.
At an
organizational level, TJX should create formal procedures for risk management
and use a RACI (Responsible, Accountable, Consulted and Informed) matrix to
assign key responsibilities such as network security scans and upgrades,
internal PCI audits, firewall scans and ensure that these activities are
carried out as planned. TJX should also look at having independent IT security
audits on a quarterly basis. An effective risk management process will provide
reduced cost of operations, predictability, transparency and confidence,
avoidance of security breaches, and enhanced capabilities[10].
There should be training conducted throughout the organization to increase
awareness about the importance of basic IT security measures such as not
sharing passwords or leaving computer systems unlocked, to prevent internal
security breaches. Management should promote employee rewards for exposing IT systems
or network vulnerabilities. At Accenture where I worked, each project team has
a “security monitor” who is in charge of reporting non-compliance to policies
such as internal password exchanges or leaving work computers or laptops
unlocked. TJX management must drive the organizational strategy for a secured
IT framework to meet its strategic goals.
[1]
Chandrasekhar, R., & Haggerty,
N. (2008, March 12). Secuirty Breach at TJX. Harvard Business Review, 1. Retrieved
from 908E03
[2]
Industry:Off-price Retail. (n.d.). WikiInvest.
Retrieved February 2, 2013, from http://www.wikinvest.com/industry/Off-price_Retail
[3]
TJX Annual report 2006. (2007, January). TJX Annual report 2006.
Retrieved February 2, 2013, from http://www.tjx.com/investor_annualreports.asp
[4]
TJX Companies Inc.: Riding The
Consumer Value Wave - Seeking Alpha. (2011, December 9). Seeking Alpha - Stock Market
News & Financial Analysis. Retrieved February 2,
2013, from http://seekingalpha.com/article/312877-tjx-companies-inc-riding-the-consumer-value-wave
[5]
Industry:Off-price Retail. (n.d.). WikiInvest.
Retrieved February 3, 2013, from http://www.wikinvest.com/industry/Off-price_Retail
[6]
Vijayan, J. (2007, March 29). TJX
data breach: At 45.6M card numbers, it's the biggest ever - Computerworld. Computerworld - IT news,
features, blogs, tech reviews, career advice.
Retrieved February 3, 2013, from http://www.computerworld.com/s/article/9014782/TJX_data_breach_At_45.6M_card_numbers_it_s_the_biggest_ever
[7]
Berg, G., Freeman, M., &
Schneider, K. (2008, August). Analyzing the TJ Maxx Data Security Fiasco. NYSSCPA.ORG | The Web Site of
the New York State Society of CPAs. Retrieved February 3,
2013, from http://www.nysscpa.org/cpajournal/2008/808/essentials/p34.htm
[8]
Berg, G., Freeman, M., &
Schneider, K. (2008, August). Analyzing the TJ Maxx Data Security Fiasco. NYSSCPA.ORG | The Web Site of
the New York State Society of CPAs. Retrieved February 3,
2013, from http://www.nysscpa.org/cpajournal/2008/808/essentials/p34.htm
[9]
Our Businesses. (n.d.). Welcome to The TJX Companies,
Inc. Retrieved February 2, 2013, from http://www.tjx.com/businesses.asp
[10]
Building confidence in IT Programs.
(2011, September). Ernst & Young - Global.
Retrieved February 4, 2013, from http://www.ey.com/Publication/vwLUAssets/Building_confidence_in_IT_programmes_through_programme_risk_management/$FILE/Insights_IT_Building_confidence_in_IT_programs.pdf
I’d end up being mendacity if i stated i do not such as this post, in truth, I like this a great deal I needed to place up a discuss here. I must state maintain the good work, and I will probably be coming again with regard to good since i have currently bookmarked the web page. supplier quality control
ReplyDeleteGreat survey, I'm sure you're getting a great response. best travel laptops in 2019
ReplyDeleteIt’s really great information for becoming a better Blogger. Keep sharing, Thanks. For more details to visit SJ Business Associates.
ReplyDeleteWhat is the best choice for the company who can't find a single software solution that addresses all its needs? Bespoke application development can become the way out of the situation when available products don't fit companies need for any reasons. Let's explore the bespoke software advantages and disadvantages and see if it worth for enterprises to step into this area. spy phone app
ReplyDeleteThe popularity of clean technology is rapidly growing: people are realizing that by being eco-friendly and applying these principles to their companies, they are able to deliver quality products and services, while promoting the protection of the planet, its natural resources and the importance behind these efforts. As technology continues to evolve and adapt to our needs, many agree that clean technology is tomorrow's technology. mobile tracker free
ReplyDeleteThe word "Technology" is soon to vanish. Its place shall be occupied by "Green Technology". Green technology may be costlier to implement as all R&D projects are but in the long run it shall be cheaper in all respect. Cutting down on costlier raw material consumption and recycling zero cost waste as raw material will certainly make green products cost friendly and help to carve a better world to live. We are on a faster track so is the march of green technology. phone app to spy camera
ReplyDeleteWhen you hear the term "anti gravity technology," many people conjure up images of Buck Rogers and the Jetsons flying around the sky. Or perhaps you think of NASA and the space program, with the astronauts learning how to deal with zero gravity on the moon? Anti gravity technology is not a science of the future, however. It's something that we can benefit from right now. Tegan
ReplyDeleteUtilizing technology as a competitive weapon allows you to differentiate from your competitors in the marketplace. Technology helps profits to increase, by reducing expenses and errors, while customers are delighted with product and 'wowed' by service, sharing its benefit with others. free xmind alternative
ReplyDelete