Introduction
Among the main contenders for the title of greatest private company’s hacking, we find the attack perpetrated against the TJX company. By exploiting the security’s weakness of the Wi-Fi network, a group of hackers managed to steal information from the company's database during a period of 18 months (Appendix 1) without being detected. When the intrusion was discovered in 2007, the cyber criminals had already taken possession of more than 95 million people’s credit card information. The main protagonist of this impressive attack was the legendary American hacker Albert Gonzales, who later was sentenced to 20 years in prison.
The Weak Links
People
In TJX data breach low security awareness from the personnel could have played an
…show more content…
The most disturbing thing is that TJX was storing this data in plain text, without any encryption whatsoever. Also TJX should have periodically purged all the non-essential data from the databases. TJX was completely oblivious as to what information was stolen by the intruders, the company was unable to have an immediate report of what the breach caused in terms of data losses. This highlights a lack of data classification. A well-planned data classification system allows the companies to find and retrieve essential data. This is particularly important for risk management, legal discovery, and compliance (Rouse). Even though TJX was not in compliance with Payment Card Industry Data Security Standard (PCI DSS) (Appendix 2) for some reason the company was able to pass the annual audit for that standard. The fact that TJX was able to pass the PCI DSS audit without the required standards of security show that something was not operating in the way it was supposed to. Moreover, TJX’s internal audit department was not able to comply with its function, which led to a complete failure in the auditing …show more content…
Outsourcing part of the IT infrastructure to reduce costs and to relay in more scalable and secure infrastructure.
7. Create a training program for all the associates to make them aware of the risks associated with working with information and IT resources. Enforce policies to restrict personal use of the corporate IT resources.
Taking the measures listed above will ensure an efficient and more potent defense against futures attacks. It is also important to specify that it is virtually impossible to be totally secured regardless of the security model employed (Pearlson, Saunders, & Galletta, 2016).
Who’s to