Full Text

In January 2007, TJX Companies, Inc. (TJX), the parent company of retail chains such as T.J. Maxx and Marshalls, issued a press release announcing that its computer systems had been breached and that customer information had been stolen. As the investigation into the crime continued during 2007, estimates of the number of customers affected sky-rocketed. Other reports indicated that at least 94 million Visa and MasterCard accounts had been compromised, with losses projected to approach $4.5 billion. As expected, Visa and MasterCard are seeking to recoup these losses from TJX. The sheer scale of the security breach should cause auditors to wonder about the implications for their professional practice.

What Went Wrong at TJX?

Investigations into the TJX case appear to indicate that the company was not in compliance with the Payment Card Industry (PCI) data security standards established in 2004 by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International. Reports identified three major areas of vulnerability: inadequate wireless network security, improper storage of customer data, and failure to encrypt customer account data.

Inadequate wireless network security. The store where the initial breach occurred was using a wireless network that was inadequately secured. Specifically, the network was using a security protocol known as wired equivalent privacy (WEP). One problem with WEP security is that it is easy to crack. In fact, researchers at Darmstadt Technical University in Germany have demonstrated that a WEP key can be broken in less than a minute. More important, WEP does not satisfy industry standards that require the use of the much stronger WPA (Wi-Fi Protected Access) protocol. After breaking into the store's network, the hackers then breached security at the corporate headquarters and obtained the customer account information stored there. According to a May 4, 2007, Wall Street Journal article, the intruders had access to the TJX records for 18 months without being detected.

Improper storage of customer data. The TJX data storage practices also appear to have violated industry standards. Reports indicate that the company was storing the full-track contents scanned from each customer's card. Moreover, customer records appear to have included the card- validation code (CVC) number and the per- sonal identification numbers (PlN) associ- ated with the customer cards. PCI Data Security Standard...