Questions
1a. Find 3 assets critical to the organization. Explain as to why each asset is critical. Assign
dollar values to these assets.
1b. Find the top 3 critical risks for this organization. Explain rationales as to why each risk is critical.
Rank them in order of criticality.
1c. Indicate the maturity level of this organization.
TJX Data Breach
Investigators found that the first major intrusion into TJX’s system had occurred in the
summer of 2005 at a Marshalls discount clothing store near St. Paul, Minnesota. The criminals
used “war driving,” a hacking method that involved a laptop, antenna, and mobile wireless
connection to locate vulnerable wireless signals. Once the hackers exploited TJX’s WEP-secured
wireless signal and successfully broke into the network, they established a connection with the
main TJX server in Framingham and uploaded their own program that extracted card numbers
from the network traffic. That program remained in place for eighteen months.
Investigators discovered that the TJX hackers were part of a large, sophisticated international
network that loaded blank cards from China with stolen card numbers and sold them online for
$10 to $100 each. Buyers used the cards to withdraw money from ATMs or purchase merchandise
they could later sell.
In 2009 the average total cost to a merchant for a data breach was $6.75 million, or $204 per
compromised record. At that rate the cost to TJX of 46 million compromised records would have
exceeded $9 billion. Through the end of 2009 TJX reported expenses and reserves for probable
losses of $171.5 million.
Although the Federal Trade Commission (FTC) did not have the power to impose a fine on
TJX, it settled with the company after charging it with engaging “in practices that, taken together,
failed to provide reasonable and appropriate security for sensitive consumer information.”17 As
part of the settlement TJX agreed to an FTC review conducted by an independent third-party
auditor every other year for twenty years to ensure the company is establishing and maintaining
“a comprehensive security program reasonably designed to protect the security, confidentiality,
and integrity of personal information it collects from or about consumers.”18
A year after the announcement of the intrusion, TJX’s first-quarter 2008 sales were up 6
percent and net income (after the settlement payouts) was down less than 2 percent compared
with the previous year.19 In 2009 net sales were up another 7 percent and TJX planned to expand
its retail space by 5 percent in 2010 and 6 percent in 2011.20