Analyzing the TJ Maxx Data Security Fiasco
Lessons for Auditors

By Gary G. Berg, Michelle S. Freeman, and Kent N. Schneider

E-mail Story
Print Story
AUGUST 2008 - In January 2007, TJX Companies, Inc. (TJX), the parent company of retail chains such as T.J. Maxx and Marshalls, issued a press release announcing that its computer systems had been breached and that customer information had been stolen. As the investigation into the crime continued during 2007, estimates of the number of customers affected skyrocketed. Other reports indicated that at least 94 million Visa and MasterCard accounts had been compromised, with losses projected to approach $4.5 billion. As expected, Visa and MasterCard are seeking to recoup these losses from TJX. The sheer scale of the security breach should cause auditors to wonder about the implications for their professional practice.

What Went Wrong at TJX?

Investigations into the TJX case appear to indicate that the company was not in compliance with the Payment Card Industry (PCI) data security standards established in 2004 by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International. Reports identified three major areas of vulnerability: inadequate wireless network security, improper storage of customer data, and failure to encrypt customer account data.

Inadequate wireless network security. The store where the initial breach occurred was using a wireless network that was inadequately secured. Specifically, the network was using a security protocol known as wired equivalent privacy (WEP). One problem with WEP security is that it is easy to crack. In fact, researchers at Darmstadt Technical University in Germany have demonstrated that a WEP key can be broken in less than a minute. More important, WEP does not satisfy industry standards that require the use of the much stronger WPA (Wi-Fi Protected Access) protocol. After breaking into the store’s network, the hackers then breached security at the corporate headquarters and obtained the customer account information stored there. According to a May 4, 2007, Wall Street Journal article, the intruders had access to the TJX records for 18 months without being detected.

Improper storage of customer data. The TJX data storage practices also appear to have violated industry standards. Reports indicate that the company was storing the full-track contents scanned from each customer’s card. Moreover, customer records appear to have included the card-validation code (CVC) number and the personal identification numbers (PIN) associated with the customer cards. PCI Data Security Standard 3.2 clearly states that after payment authorization is received, a merchant is not to store sensitive data, such as the CVC, PIN, or full-track information. Exhibit 1 shows a comparison of key data items believed to have been stored by TJX, along with the relevant PCI standards.

Most likely, TJX did not retain this information with malicious intent. The company may have been using older point-of-sale (POS) software that had been designed to capture all card data and that could not be reconfigured to comply with PCI standards. This problem has been linked to credit-card security breaches at other retailers. Another possibility is that the POS software was adequate, but improperly configured.

Failure to encrypt customer data. Even if the hackers had been able to infiltrate the TJX corporate network and access the improperly stored customer records, it is likely that no harm would have resulted, had the customer data been securely encrypted. Given the large number of fraudulent transactions traced back to the TJX breach, it is obvious that either the data had not been encrypted, or the hackers stole the encryption key. In either case, industry standards were not maintained by TJX. PCI Data Security Standard 3.4 requires that at minimum, the customer’s “primary account number” (i.e., the customer’s card number) be “rendered unreadable.” Furthermore, PCI Data Security Standards 3.5 and 3.6 require merchants to protect the encryption keys used for protecting customer data from disclosure and misuse.

How the TJX Breach Affects Audit Practices

At first, the TJX fiasco appears to offer an object lesson for retailers’ IT departments, rather than auditors. After all, customers’ credit card numbers are not the retailer’s asset to protect; rather, the sales transaction itself is what accounting internal controls have traditionally sought to secure. With the advent of Statement on Auditing Standard (SAS) 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, internal control clearly extends beyond protecting one’s own assets.

SAS 109 requires auditors to “audit the business, and not just the books” when evaluating the risks of a client’s financial statements containing a material misstatement. Specifically, SAS 109 requires an understanding of: 1) the entity and its environment; 2) the entity’s internal control environment; and 3) susceptibility of the entity’s financial statements to material misstatement resulting from liabilities.

Understanding the entity and its environment. Retailers cannot continue to operate by looking after only their own assets, as seen in the TJX debacle. Customer credit and debit card information is a valued target of data thieves. Technology has made purchasing information more valuable than actual currency, because it can be used to run up huge bills for the original cardholders. These victims are left with the lengthy, painful task of restoring their good credit ratings. To protect against data theft, consumers can refrain from using debit and credit cards (an inconvenient option), or refrain from shopping at stores that suffer data breaches. In other words, it is ultimately in the best interest of retailers to follow industry standards and protect customer credit and debit card records.

Understanding the entity’s internal control environment. In the digital economy, retailers must implement both physical and electronic controls. For example, stores should have physical control over the credit card scanners at checkout locations by bolting them to the counter. Otherwise, a thief could replace a retailer’s scanner with an identical-looking scanner that also stores scanned customer information on a hidden chip. Later, the thief could return to the store and switch scanners again, walking away with the customer data accumulated in the interim.

Understanding the risk of material misstatement resulting from contingent liabilities. Although customer purchasing information is not an asset of the retailer, possession of that information imposes great responsibility on the retailer, and failure to protect that information can result in huge liabilities.

One source of potential liability is the contracts that the retailer makes with card issuers in order for the store to accept credit and debit cards as payment for transactions. Typically, these contracts require that merchants comply with PCI Data Security Standards. Failure to comply with the standards exposes a merchant to two types of liability. First, the contract with the card issuer provides for substantial penalties if the merchant does not comply with PCI standards. Second, and more significantly, merchants are subject to “push-back” liability for damages suffered by the card issuer as a result of the merchant’s data breach. These losses sustained by card issuers include not only the fraudulent charges made on the accounts of the victims of identity theft, but also the administrative costs associated with the issuance of new cards to customers whose personal information may have been compromised. For TJX, the bulk of its liability will likely result from such push-back losses sustained by issuers.

Another source of risk to retailers is the growing number of state laws regarding notification of security breaches. According to the National Conference of State Legislatures “State Security Breach Notification Laws” webpage
(www.ncsl.org/programs/lis/cip/priv/breachlaws.htm), as of May 1, 2008, at least 42 states, the District of Columbia, and Puerto Rico have legislation requiring notification of security breaches involving personal information.

The New York statute (New York State General Business Law section 899-aa, subsections 2 and 3) is fairly typical. It applies to any New York businesses that own, license, or maintain computerized data containing “private information,” such as an individual’s Social Security number, driver’s license number, or account number, along with the required access code or password needed to permit access to an individual’s financial account. These businesses must notify any New York resident whose private information was acquired, or believed to have been acquired, by someone without valid authorization. If the business fails to promptly notify the affected parties, the statute authorizes damages for actual costs or losses, including “consequential financial losses” [New York State General Business Law section 899-aa, subsection 6(a)].

What Auditors Can Learn from the TJX Fiasco

When evaluating the risks associated with a retailer’s business, valuable lessons can be learned from the mistakes of TJX. Although TJX is a huge organization, these risks are equally applicable to mom-and-pop operations. Exhibit 2 summarizes these lessons.

First, check to see if there is wireless access to the company network. Even if company policy prohibits wireless routers, a renegade router installed by an employee may be connected. If wireless access does exist, evaluate the type of encryption used by the router. Make sure that a method prescribed by PCI standards, such as WPA or WPA2, is in use. Under no circumstances should WEP encryption be used. In addition, evaluate the strength of the log-on password and make sure that the router doesn’t broadcast its network name or service set identifier (SSID). Where practical, the authors recommend configuring the router to restrict access to specific computers, using the unique media access control (MAC) address assigned to each authorized computer.

Second, evaluate the company’s data storage practices and security for stored customer data. Ascertain that the company complies with PCI security standards and is not retaining excess data scanned from customer credit and debit cards. Under no circumstances should a merchant retain a customer’s debit card PIN. Also, make sure that customer data stored by the retailer are encrypted using a strong key.

Finally, review the company’s data-retention policies and practices. Make sure the merchant does not retain customer data any longer than permitted by the card issuers. Even better, do not retain data any longer than necessary to document the underlying transaction. Ensure that policies are in place to notify customers of possible security breaches and that a process is in place to implement the policies if a breach occurs.

Ultimately, the security of a company’s information system relies upon the competency and honesty of its employees. Therefore, it is important to conduct background checks on employees and to train them about the possibility of security breaches and how to avoid them.


Gary G. Berg, PhD, CPA, is an associate professor of accountancy at East Tennessee State University, Johnson City, Tenn.
Michelle S. Freeman, EdD, CPA (inactive), is an assistant professor of business administration at Tusculum College, Greeneville, Tenn.
Kent N. Schneider, JD, CPA, is a professor of accountancy, also at East Tennessee State University, Johnson City, Tenn.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.

©2009 The New York State Society of CPAs. Legal Notices