Chapter 14 • Information Security 563Customer Data Theft at TJXTJX Companies is a $17 billion retailer with more than 2,500 retail stores in North America, the British
Isles, and other countries. For a period of more than six months, credit card information of between
45 million and 200 million customers was stolen.
How did the information thieves do this? The evidence suggests that it was not that difficult: It is
believed that they tapped into wireless networks, gained administrative control of large databases, and
freely downloaded immense amounts of unencrypted information from the company’s data warehouse.
By any reasonable auditing standards, TJX was guilty of gross negligence. It had complied with only 3
of the 12 required control objectives specified in a data security standard (PCI-DSS) created by major
credit card companies.
What was the cost of this theft? TJX will also be spending well over $100 million for badly
needed security upgrades, but this dollar amount does not come close to the dollar amount associ-
ated with the loss of reputation, goodwill, and opportunity costs for TJX. Financial institutions were
also projected to spend over $300 million to replace the credit cards of these TJX customers. By
2009, TJX reported they had already spent $202 million to deal with the data theft, including legal
settlements. Forrester Research estimated that the cost to TJX could surpass $1 billion due to con-
sultant costs, security upgrades, attorney fees, and additional marketing to assure customers that
their systems were now secure.
[Based on Pereira, 2007; Laudon and Laudon, 2010; and Panko, 2010]
CyberwarfareCyberwar refers to attacks on the IT infrastructure of the enemy with the intent to disable or disrupt
the function of the military or the economy of the enemy. Military targets might include command-
and-control systems, air defense networks, and computers embedded in weapon systems. Civilian tar-
gets might be power grids, financial networks, air traffic control systems, and contractors with military
defense departments. There have been a number of incidents that may or may not have been exam-
ples of cyberwarfare. In 2007, there were almost 13,000 attacks on U.S. government agencies, and in
April of that year, during a dispute between Russia and Estonia over the removal of a Soviet-era
statue, sophisticated denial-of-service attacksvia the Internet shut down Web operations of
Estonia’s largest bank, several newspapers, and the Web sites of its parliament, the president, and the
prime minister. Although most Cyberwarfare developments are cloaked in secrecy, in 2009 a Cyber
Command was established in the U.S. Pentagon to defend national security and carry out offensive
operations inside computer networks.
How Ex-Employees Can Be DangerousCommitting a crime against a current or former employer can also sometimes be a way that individuals
“get back” at a company for real or perceived transgressions. For example, an insurance company
employee who was fired from his IT job planted a logic bombthat went off after he left the firm and
destroyed more than 160,000 records used to pay monthly payroll commissions.