NATIONAL UNIVERSITY HO CHI MINH CITY

___________________________________
UNIVERSITY OF LAW AND ECONOMICS
___________________________________

REPORT

Topic: TJX’s DATA BREACH THAT EXPOSED

PERSONAL AND CREDIT INFORMATION OF
MILLIONS OF CUSTOMERS

Subject: Information System Security

Lecturer: MS. Nguyen Quang Hung

ClassID: 231IS2802

Group: B_88

Ho Chi Minh City, December 9th 2023

ACKNOWLEDGEMENT

Our heartfelt gratitude extends to Mr. Nguyen Quan Hung, whose insightful instruction
on Information Systems Security has been the cornerstone of our learning experience.
Mr. Hung's patient guidance and ability to illuminate complex concepts with clarity
have been instrumental in enriching our understanding. He has instilled in us a profound
appreciation for the ever-evolving nature of cybersecurity and its pivotal role in
safeguarding the digital landscape.

Through his meticulous instruction and unwavering support, Mr. Hung has not only
equipped us with the technical proficiency necessary to navigate the intricacies of
information security but has also ignited a passion within us to delve deeper into this
dynamic and ever-evolving field. We firmly believe that the knowledge and skills we
have acquired under his tutelage will serve as an invaluable foundation for our future
endeavors, allowing us to contribute meaningfully to the evolving world of information
security.

We are deeply grateful for his dedication to our learning and for the profound impact
he has had on our intellectual and professional development.

i
MEMBER OF GROUP B-88

Number Member’s Fullname StudentID

1 Le Lam Phuong (Leader) K214060441

2 Tran Nguyen Diu Quyen K214061267

3 Nguyen Ngoc Phuong Uyen K214061764

4 Tran Vu Anh Thu K214060442

5 Tran Van Phat K214060439

6 Tran Phuong Nhi K214060437

ii
CONTENTS

ACKNOWLEDGEMENT .............................................................................................. i
MEMBER OF GROUP B-88......................................................................................... ii
CONTENTS .................................................................................................................. iii
LIST OF FIGURES ...................................................................................................... iv
LIST OF ACRONYMS ................................................................................................. v
CHAPTER 1: INTRODUCTION .................................................................................. 1
1.1. About TJX ........................................................................................................ 1
1.1.1. Company Background ................................................................................... 1
1.1.2. Achievement.................................................................................................. 1
1.1.3. Market Segment ............................................................................................ 2
1.2. Reasons for choosing the topic ......................................................................... 3
1.3. Objectives and scopes ...................................................................................... 3
CHAPTER 2: ANALYSIS OF THE INCIDENT .......................................................... 4
2.1. Location and timeframe of occurrence ................................................................... 4
2.2. Involved parties ....................................................................................................... 4
2.3. Incurred Damages ................................................................................................... 5
2.4. Development of the incident ................................................................................... 6
2.5. Causes of the incident .......................................................................................... 7
2.5.1. Causes analysis .............................................................................................. 7
2.5.2. Attack methods used ................................................................................... 11
2.6. Proposed solutions for cybersecurity................................................................. 11
2.7. TJX's reaction evaluation .................................................................................. 13
2.7.1. About TJX's Response ................................................................................ 13
2.7.2. About TJX's public disclosure .................................................................... 14
2.8. Key takeaways ................................................................................................... 14
CHAPTER 3: CONCLUSION .................................................................................... 16
References .................................................................................................................... 17

iii
LIST OF FIGURES

Figure 1: The Logo of company TJX ............................................................................. 1

Figure 2: A Global Off-Price Retailer ........................................................................... 2
Figure 3: Financial performance of TJX (Fiscal second-quarter earnings) ................ 6
Figure 4: Wireless transmission of data connected to corporate networks .................. 8
Figure 5: Schematic representation of security breach by the hackers ........................ 9

iv
LIST OF ACRONYMS

ABBREVIATIONS MEANING
CCTV Closed-circuit Television
CVC Card Verification Code (used by Mastercard)
CVV Card Verification Value (used by VISA)
EDR Endpoint Detection and Response
FTC Federal Trade Commission
IT Information Technology
PCI DSS Payment Card Industry Data Security Standard
PIN Personal Identification Number
SQL Structured Query Language
SSL Secure Sockets Layer
TLS Transport Layer Security
USB Universal Serial Bus
WEP Wireless Equivalent Privacy
WPA Wi-Fi Protected Access

v
CHAPTER 1: INTRODUCTION

1.1. About TJX

Figure 1: The Logo of company TJX

1.1.1. Company Background

TJX Companies, Inc. (NYSE: TJX), is the leading off-price retailer of apparel and home
fashions in the U.S. and worldwide. TJX was founded in 1976 and operates eight
independent businesses in the low-cost segment - T.J. Maxx, Marshalls, Household
Goods, A.J. Wright and Bob Stores in the United States, Winners and HomeSense in
Canada, and T.K. Maxx in Europe. TJX sells name-brand clothing and home fashion at
prices 20 to 70 percent lower than department or specialty stores.

1.1.2. Achievement
In 2006, TJX ranked 138th on the 2006 Fortune 500. With sales of $17.4 billion in the
year ending January 2007, the company tripled its revenue. size of Ross Stores Inc., its
closest competitor. To date, in 2023 this position has increased to 87th and operates four
main divisions: Marmaxx, HomeGoods, TJX Canada, and TJX International (including
Europe and Australia). As of January 28, 2023 (fiscal year end), TJX operated more
than 4,800 stores. The business spans nine countries, on three continents, and includes
six e-commerce businesses.

1
 Figure 2: A Global Off-Price Retailer

1.1.3. Market Segment

As an off-price retailer, TJX occupied the space between deep discounters selling
unbranded goods at low prices and department or specialty stores selling branded goods
at premium prices. TJX sold branded apparel and home fashions at prices between 20
and 70 percent lower than department or specialty stores. It bought merchandise directly
from manufacturers at wholesale prices throughout the year, in contrast to department
or specialty stores, whose buying was driven by current trends and was seasonal. It also
acquired merchandise from department and specialty stores themselves, which were
often stuck with excess goods every season as a result of late order cancellations, missed
production deadlines, and scheduling changes.

TJX operates in the off-price retail segment and buys merchandise directly from
manufacturers at wholesale prices, as well as excess goods from department and
specialty stores. Off-price companies serve a special niche in the retail industry,
capitalizing on volatility in consumer demand and mistakes made by designers and full-
price retail outlets to keep their stores stocked with new low-price products. It is the
overruns and canceled orders due to the unpredictability of the market, and the inability
of designers and full-price retail stores to perfectly predict consumer demand, that create
excess inventories for off-price consumption.

In general, TJX relies significantly on Information Technology to facilitate various

processes, including pricing, markdown decisions, inventory replenishment, and timely
distribution. These processes are crucial in supporting their off-price strategy.

2
1.2. Reasons for choosing the topic
The incident where TJX had the personal and credit information of millions of
customers compromised was the largest and most impactful cyber attack in history,
occurring in 2007. In this attack, hackers stole personal and credit information from
over 45.7 million customers of TJX Cos; however, some estimates suggest that up to 94
million people were affected.

The event had a significant impact on the retail industry, prompting a renewed focus on
security measures. The attackers exploited vulnerabilities in the wireless network,
collecting a vast amount of information, including credit card numbers, debit card
details, expiration dates, and CVV codes.

TJX incurred hundreds of millions of USD in damages to resolve the issue. This
included compensating affected customers, enhancing security measures, settling class-
action lawsuits brought forth by Visa and Mastercard, and paying fines to the Federal
Trade Commission (FTC).

The TJX data breach underscored the importance of information security for the retail
industry and IT systems. Therefore, we chose this topic to report on, aiming to provide
a valuable lesson for retail companies and individuals. Retail companies and individuals
must establish and implement robust security measures, and raise awareness about
security to effectively safeguard customer information. Furthermore, this is essential to
enhance community awareness regarding the importance of securing personal and credit
information.

1.3. Objectives and scopes

The main objective of this study is to identify and analyze in detail the TJX data breach
incident, investigate the causes that led to this event, and propose reasonable solutions
to prevent and minimize unwanted risks in the future.
This report will focus on a detailed analysis of the TJX incident, covering aspects from
its scope and developments to specific vulnerabilities within the security system. We
will particularly emphasize the causes leading to the incident and the methods employed
by the hackers. Additionally, the team will provide recommendations to enhance
information security and prevent similar issues in the future.
Chapter 2 of the report will proceed with an in-depth analysis of the breach incident,

3
including where and when it happened, who was involved, what damages occurred, how
the incident unfolded, why the security breach happened, and the ways the attackers
carried out their actions.

CHAPTER 2: ANALYSIS OF THE INCIDENT

2.1. Location and timeframe of occurrence

The incident initiated by hackers began in mid-2005, with the violations continuing
until January 2007 when they were newly discovered. The attack was executed by
exploiting vulnerabilities in the wireless network of the company at two Marshalls
stores in Miami, USA.

In the United States, the attack impacted customers of T.J. Maxx, Marshalls,
HomeGoods, and A.J. Wright stores. In Canada, the attack affected customers of
Winners and HomeSense stores. In the United Kingdom, the attack impacted customers
of T.K. Maxx stores.

2.2. Involved parties

- TJX Companies, Inc.: TJX Companies, Inc. is a multinational retail corporation

based in the United States. The company owns the chains of T.J. Maxx,
Marshalls, HomeGoods, and A.J. Wright stores.
- Hacker team: The hacking group consisted of 10 individuals, led by Albert
Gonzalez. At the time of the incident, he was the informant for the Secret
Service, also an American computer hacker who later turned into a
cybercriminal, masterminding with his accomplices, and executing attacks to
steal computer data from the company's internal network.
- TJX’s customers: Over 45.7 million customers of TJX were affected by this
attack, with estimates suggesting the number could be as high as 94 million.
Their personal information, including names, addresses, card numbers,
expiration dates, and security codes, was compromised.

4
2.3. Incurred Damages

The TJX data breach of 2005-2007 was one of the largest data breaches in history. The
incident had a serious impact on TJX's reputation and led to the company facing a
number of legal, financial, and reputational issues.

The theft of more than 45 million credit and debit cards made it one of the biggest data
breaches of the year. The hackers managed to take 80 terabytes of stored data from a
TJX server and move it to a different location using the business's high-speed network.
Additionally, over 94 million customer records were compromised by hackers,
including private data like names, residences, and driver's license numbers.

- Reputational damage:
This incident was a major blow to the company's reputation. TJX faced intense public
scrutiny and negative media attention following the breach. News outlets widely
reported on the incident, highlighting TJX's security failures and the severity of the data
exposure. This negative publicity further damaged the company's reputation and eroded
public confidence.

It also significantly eroded customer trust in TJX. Customers felt their personal
information was not secure and their privacy had been violated. This led to many
customers choosing to shop elsewhere, resulting in a decline in sales and brand loyalty.

- Financial damage:
The business calculated that the cost of the computer data breach had skyrocketed to
$256 million in the months that followed.

This expense was increased by the accumulation of fixing the business's computer
system, handling ongoing legal matters, and other claims resulting from the hack.
Outside security experts, however, questioned if TJX's costs would be kept anywhere
close to the recommended amount. Depending on the outcome of additional
investigations and lawsuits that may result in additional penalties, the final amount may
grow significantly.

TJX revealed its second-quarter profits report while the inquiry was ongoing and before
rumors started circulating outside of it. Due to expenses associated with the data breach,
the company's second-quarter 2007 earnings were $118 million less profitable than in

5
prior years (Figure 1). Following its announcement, TJX experienced a significant
decline in both revenue and operating income in its 2007 quarterly report.

Figure 3: Financial performance of TJX (Fiscal second-quarter earnings)

2.4. Development of the incident

- Start date: The robberies started earlier in 2003 and were announced by TJX
Companies in February 2007.
- Developments: The hackers sat outside TJX's Marshalls store in St. Paul,
Minnesota, on several occasions in 2005. Here, they were able to direct a
telescope-shaped antenna in the direction of the store to record wireless
transactions that were occurring there and being transmitted via the business's
wireless network. The hackers ensured they were undetectable and no one knew
they were there by listening to the communications passing across the networks
in this manner. The hackers were able to crack the WEP security code of the
store after they listened to this information for two days. They were able to steal
bank account and credit card information by doing this.
- How they attacked: Using this information, the hackers were able to re-enter
the system and penetrate the corporate networks of the TJX headquarters located
in Framingham, Massachusetts, between May and December of 2006. These
hackers not only gained access to the system but also to the organization's
centralized corporate database, which contained crucial company and consumer
data. The hackers would eventually get away with approximately 45.7 million
separate payment cards from transactions dating back to the beginning of January
2003.

6
 - TJX's response: The enterprise performs defensive action by “These TJX
internal emails are just a very small portion of the extensive, ongoing dialogue
on the topic of WPA wireless network security and timing of spending which
occurred at TJX… TJX decided to move to WPA in advance of being required
to do so by the payment card industry. Spending on WPA conversion was not
deferred by TJX; in fact, it was accelerated and TJX completed conversion to
WPA in advance of its conversion timetable and ahead of many major retailers.”
- Vice President of TJX, Mr. Campell said.

Reassuring the public, Carol Meyrowitz was optimistic about the future of the company,
she stated: “With our goal continuing to be driving profitable sales, TJX has a bright
future filled with enormous opportunities”. On February 21, 2007. She stated: We are
dedicating substantial resources to investigating and evaluating the intrusion which,
given the nature of the breach, the size and international scope of our operations, and
the complexity of the way credit card transactions are processed, is, by necessity, taking
time...Additionally, we have strengthened the security of our computer systems. Based
on everything we have done, I believe customers should feel safe shopping in our
stores…”

2.5. Causes of the incident

2.5.1. Causes analysis
The TJX hack had a significant impact on the retail industry and prompted a renewed
focus on security measures. The incident was one of the most high-profile breaches to
occur after the PCI DSS was implemented in June 2005. The company violated 9 of the
12 requirements set by the card industry to ensure secure card transactions. This
included misconfigured wireless networks, improper antivirus protection, weak
intrusion detection, use of easily cracked usernames and passwords, and inaccurate
vulnerability patching and log-keeping procedures.

- Weak wireless security

TJX used the weak WEP (Wireless Equivalent Privacy) security protocol for its wireless
networks in its stores, which can be cracked in just a few seconds. WEP's problem is
that using the same initialization vector (IV) multiple times makes it very easy to attack.
Instead of using temporary keys, the master key is used directly. Because most users do
not change the key, this allows attackers more time to crack the encryption.

7
 Figure 4: Wireless transmission of data connected to corporate networks

TJX and other retailers are required by credit card companies to store customer credit
card information on their own internal systems so that in the event of a transaction
dispute, the credit card company can access the records. Storing customer credit card
information on retailers' internal systems can create a security vulnerability if not done
properly. In the case of TJX and other retailers, the use of the WEP security standard
was an issue, as WEP has been shown to be insecure and easy to attack. “The company
collected too much personal information, kept it too long, and relied on weak encryption
technology to protect it – putting the privacy of millions of customers at risk,” said
Stoddart, who serves as an inspector and advocate for protecting the privacy of
Canadians.

- Lack of physical security in stores

According to Information Week, the attackers opened kiosks in the stores and used USB
to load software onto those terminals, turning them into remote terminals connected to
TJX's network. This raises issues of carelessness, lack of monitoring, and protection of
physical IT assets in stores.

- Lack of regular security check

In 2005, the group of hackers sat outside the Marshalls store in St. Paul, Minnesota,
multiple times. There, they could point a telescope antenna toward the store to record
wireless transactions inside the store as they were broadcast over the company's
wireless network. This way, the intruders would listen to network traffic to ensure they
stayed invisible and no one knew they were there.

8
 Figure 5: Schematic representation of security breach by the hackers

TJX did not perform regular security audits or network checks, either internal or
external. As a result, it did not upgrade its data encryption system by the time the
electronic eavesdropping operation began in July 2005. The intrusion eventually
allowed the hackers to access TJX's central database undetected for nearly 18 months.

- Lack of data encryption in transit

TJX transmitted data to credit card providers without encryption, making it easy for
others to intercept. In addition, TJX mentioned in a public statement that the attackers
had the ability to access the decoding tool of the encryption software used by TJX.

- Violating PCI Standards

PCI DSS was established in 2004. PCI DSS includes 12 key security requirements that
businesses must comply with to protect payment card data. Its main goal is to protect
and enhance the security of sensitive data of cardholders, such as credit card numbers,
expiration dates, and security codes. The security controls in this standard help
businesses minimize the risks of data breaches, fraud, and identity theft.

Even though PCI security measures were implemented, TJX initially fell short on 9 out
of the 12 specified requirements. However, without any severe penalties, Visa allowed
TJX to continue its operations under the condition that it would enhance the security
level of its system. TJX should have upgraded its wireless security encryption standard
within the suggested timeframe advised by credit card companies.

In an email sent to employees on November 23, 2005, Butka expressed concerns about
enhancing security and suggested postponing the upgrade from the WEP to the newer

9
WPA wireless encryption standard, a more secure standard. He stated: “We can comply
with PCI without upgrading to WPA technology in fiscal year 2007 for encryption
because most of our stores do not have the capability for WPA without some changes...
WPA is clearly the best method and may ultimately become a requirement for PCI
compliance in the future. I believe we have an opportunity to defer some expenses from
the fiscal year 2007 budget by eliminating funds from the WPA upgrade, but I want all
of us to agree that the risk is small or insignificant.”

The PCI Data Security Standard 3.2 explicitly stipulates that after payment
confirmation, a retailer is not allowed to store sensitive data such as CVC codes, PINs,
or information about the entire transaction trajectory. However, it appears that TJX's
customer records include verification codes (CVC) and personal identification numbers
(PINs) associated with customer cards. PCI requires companies in levels 2 and 3 to
comply with these standards by completing an annual self-assessment questionnaire and
conducting quarterly scans by an approved provider. However, this can be easily
violated because network scans are often automated using software like McAfee and
are limited to the network identified by the company. It does not include scanning
databases to check whether the data is encrypted or not. TJX violated PCI standards by
storing unencrypted data.

The privacy commissioner of Canada intervened and conducted a separate

investigation. The findings revealed that TJX violated standards for collection, storage,
and security outlined in federal commercial privacy laws. TJX even collected driver's
license numbers when customers returned items without a receipt. The commissioners
stated: “A driver's license is proof that an individual is authorized to operate a motor
vehicle; it is not identification information for conducting shopping return behavior
analysis... Furthermore, a driver's license number is highly valuable data for fraudsters
and identity thieves intending to create false identification using valid information. For
this reason, retailers and other organizations must ensure they do not collect
identification information unless it is necessary for the transaction.”

- Lack of processing logs

TJX lacked processing logs in its system. These logs are important for forensic analysis
of the system, such as when it was accessed, which files were added, changed, or
deleted, etc. This is especially important when processing millions of transactions.

10
 2.5.2. Attack methods used
It consists of 2 phases:
- Phase 1: SQL Injection Attack. SQL injection is a security vulnerability that
allows hackers to inject malicious SQL code into a SQL query. Gonzalez and his
accomplices utilized this feature to inject malicious SQL code into TJX's
websites and subsequently deployed backdoors on some of the company's
systems to carry out packet sniffing attacks, enabling them to steal computer data
from the company's internal network.
- Phase 2: Sniffer Program Attack, a type of malicious software that can collect
sensitive data as it is transmitted over the network, exploiting security
vulnerabilities in the company's systems. Once installed, this program began
capturing information from TJX's computers, including sensitive details such as
credit card numbers, debit card details, expiration dates, and CVV codes.

2.6. Proposed solutions for cybersecurity

Cause of the incident Solutions

- Implement WPA2 or WPA3 encryption protocols for
all wireless networks
Dealing with the use of the weak WEP security protocol is
Weak wireless security crucial. TJX needs to switch to stronger encryption methods
to ensure secure wireless communication. Regular security
audits and vulnerability assessments should be conducted to
identify and rectify any weaknesses in the wireless network.
- Implement a surveillance and monitoring camera
system such as CCTV
Lack of physical Installing surveillance camera systems at important points
security in stores in the store will help closely monitor all activities that
occur. This will increase the likelihood of detecting
abnormalities and help identify the person responsible.
- Conducting regular security checks
Lack of regular
This is an important practice for maintaining the integrity
security checks
and resilience of a system or network. Regular security

11
 checks help identify vulnerabilities, assess potential risks,
and ensure that protective measures are in place.
- Implement strong encryption protocols:
Employ robust encryption protocols like TLS or SSL to
secure data in transit. These protocols encrypt the
communication between systems, preventing unauthorized
access and eavesdropping. Regularly update the protocols to
Lack of data adhere to the latest security standards and patch any known
encryption in transit vulnerabilities.
- Strengthen firewall protection:
Deploy enterprise-grade firewalls at critical points in the
network, including those connected to kiosks.
Ensure these firewalls are configured to filter and block
unauthorized or malicious traffic.
- Strengthen compliance with PCI DSS
The business should establish a dedicated team responsible
for PCI compliance, and strictly adhere to the timelines
advised by credit card companies and PCI DSS for security
Violating PCI upgrades.
Standards Conduct regular self-assessments to evaluate compliance
with PCI DSS requirements, and also conduct regular
internal and external audits to ensure compliance with PCI
DSS standards. This includes thorough assessments of
security controls, policies, and procedures.
- Implement comprehensive logging systems
Deploy a centralized logging system capable of collecting
logs from various components of the IT infrastructure
(including servers, databases, and network devices), and
establish a standardized format for logging across all
Lack of processing
systems. This ensures consistency and facilitates easier
logs
analysis during forensic investigations.
Ensure logs include accurate timestamps for each event.
Sequencing is crucial for reconstructing the timeline of
activities, aiding forensic analysts in understanding the
sequence of events during an incident.

In addition to these specific solutions, TJX should also:

12
 - Develop a culture of security within the organization.
- Hold employees accountable for following security policies and procedures.
- Invest in ongoing security training and education for employees.
- Provide training to IT personnel on the importance of logging and the role it
plays in incident response and forensic analysis.
- Stay informed about the latest cybersecurity threats and vulnerabilities.
- Continuously review and update security measures to adapt to evolving threats.

2.7. TJX's reaction evaluation

2.7.1. About TJX's Response
- Insufficient information:
The press release and video lacked technical details about the breach, leaving customers
and the public unaware of the specific vulnerabilities exploited. Without specific
information, customers couldn't assess the severity of the breach or understand how it
might have affected them.
- Vague details:
TJX's response lacked a comprehensive explanation of the steps taken to remediate the
situation. Customers were left uncertain about the security measures implemented to
protect their data in the aftermath.

- Vagueness about the timeline:

The timeline of events leading to the discovery of the breach and subsequent actions
taken was not communicated. The lack of a clear timeline created confusion and raised
questions about TJX's responsiveness.

Suggestions:
- Be clear about technical:
Provide a detailed technical overview of the breach, emphasizing the specific
vulnerabilities and how they were addressed. This would empower customers with a
clearer understanding of the incident and the effectiveness of TJX's response.
- Explain the remediation comprehensively:
Clearly articulate the steps to enhance security, including technological upgrades,
policy changes, and ongoing monitoring. Transparency in remediation efforts instills
confidence in customers about the company's commitment to preventing future
breaches.

13
 - Provide a detailed timeline:
Present a well-defined timeline of the breach, from its initiation to discovery and
subsequent actions taken. A clear timeline demonstrates accountability and
responsiveness, addressing concerns about any delays in identifying and mitigating the
breach.

2.7.2. About TJX's public disclosure

- Missing detailed information:
TJX did not specify the types of customer data compromised, beyond mentioning credit
and debit card information. Lack of clarity left customers uncertain about the extent of
their compromised personal information.
- Failure to disclose security measures:
Specific details about new security measures implemented were not disclosed.
Customers might question the company's commitment to preventing future breaches
without understanding the protective measures.
The lack of transparency eroded public trust in TJX's ability to safeguard customer data.
The limited information provided invited speculation and extended negative media
coverage. Customers may feel betrayed, leading to decreased brand loyalty and
potential financial repercussions for TJX.

Suggestions:
- Disclose the compromised data fully:
Clearly state all types of customer data that were compromised. This provides customers
with a comprehensive understanding of the potential risks they face.
- Be transparent in security enhancement methods:
Disclose specific security measures adopted to prevent future breaches. Transparent
communication about proactive security steps demonstrates a commitment to customer
protection.

In summary, TJX's response and public disclosure could have been more effective with
detailed technical information, a comprehensive remediation explanation, and full
disclosure of compromised data types. The lack of such transparency negatively
impacted public trust and could have been improved with clear communication and
openness.

2.8. Key takeaways

14
 - Importance of data encryption:
The breach highlighted the critical need for robust data encryption measures,
emphasizing the importance of securing sensitive information such as credit card
numbers and personal data.
- Compliance with security standards is not enough:
While TJX technically fulfilled some PCI compliance requirements, they failed to
implement essential security controls, demonstrating that compliance alone does not
guarantee adequate protection.
- Data privacy must be prioritized:
Businesses must collect only necessary data, implement appropriate storage and access
controls, and clearly communicate privacy policies to customers.
- Physical security matters:
Protecting physical IT assets and implementing access controls are vital aspects of the
overall security strategy. Combining physical and cybersecurity measures ensures
comprehensive protection against diverse threats.
- Involvement of IT executives:
IT executives and departments should have a substantial role in strategic decisions,
especially those related to data security. Given the increasing cyber threats, a
collaborative approach ensures that technology-related risks are adequately considered
in decision-making processes.
- Needs for regular security audits and penetration testing:
Regular security audits and assessments are crucial to identifying and addressing
potential vulnerabilities in the system. Proactive measures can help prevent data
breaches and strengthen overall cybersecurity.
The TJX data breach acts as a warning for businesses of every scale, emphasizing the
significance of giving priority to data security and establishing strong safeguards to
safeguard customer information. By proactively securing data, businesses can reduce
the potential for harm to their reputation and safeguard their brand if a data breach
occurs.

15
CHAPTER 3: CONCLUSION

In summary, the analysis of the TJX data breach incident has provided valuable insights
into the factors contributing to this significant security lapse. The breach, which
occurred between 2005 and 2007, involved sophisticated methods by hackers who
exploited vulnerabilities in TJX's security infrastructure. The incident had severe
consequences, impacting millions of customers and causing substantial reputational and
financial damage to TJX Companies, Inc.

By learning from the past and taking proactive measures, organizations can better
protect themselves from cyber threats and ensure the security of their sensitive data in
the ever-evolving digital landscape. The TJX data breach incident serves as a reminder
that cybersecurity is an ongoing journey, and continuous vigilance and adaptation are
key to safeguarding critical information in the digital age.

16
References

(n.d.).
(upi), A. Đ. (2023, 12 5). From vietnamnet: https://vietnamnet.vn/tjx-bi-chi-trich-de-
loi-an-ninh-du-lieu-i302836.html
(2023, 12 6). From pcisecuritystandards: https://www.pcisecuritystandards.org/
(2023, 12 6). From Case Study: TJX Credit Card Breach:
https://www.chegg.com/homework-help/questions-and-answers/case-study-tjx-
credit-card-breach-imagine-chief-information-officer-cio-one-largest-depart-
q35071278
abiz.edu.vn. (2019, 10 9). From STARBUCKS thành công nhờ chuyển đổi số như thế
nào?: https://abiz.edu.vn/starbucks-thanh-cong-nho-chuyen-doi-so-nhu-the-
nao/?fbclid=IwAR2j4eCLmxIJHcTccrtXUnaLjHog6fbrGwzhMELcgUu6Z1M
hW6ilKf0Lk2M#:~:text=Starbucks%20h%E1%BB%A3p%20t%C3%A1c%20
v%E1%BB%9Bi%20c%C3%B4ng,ti%C3%AAu%20cho%20c%E1%BB%AD
a%20h%C3%A0ng%20m
bancaphetrungnguyen. (2022). From Cà phê Trung Nguyên và Tập Đoàn Trung
Nguyên: https://bancaphetrungnguyen.com/ca-phe-trung-nguyen-va-tap-doan-
trung-nguyen-31315u.html
Benis, M. (2023, 12 4). From linkedin: https://www-linkedin-
com.translate.goog/pulse/tjx-hack-case-study-retail-cybersecurity-michael-
benis/?_x_tr_sl=auto&_x_tr_tl=vi&_x_tr_hl=vi&_x_tr_pto=wapp
bepos.io. (2021). From POS là gì?: https://bepos.io/blogs/pos-la-gi/
Coffee Trung Nguyên. (n.d.). From
https://sites.google.com/site/legendtrungnguyenvn/gioi-thieu:
https://sites.google.com/site/legendtrungnguyenvn/gioi-thieu
Company, T. (2023, 12 3). TJX Company. From tjx.com
Dương Thị Quỳnh Châu, Nguyễn Hữu Công, Chu Mạnh Cường, Nguyễn Trọng Điệp,
Nguyễn Hoàng Minh, Nguyễn Hồng Nhung, Nguyễn Anh Quân, Nguyễn Minh
Tuyên. (n.d.). ACAMEDICA. From Trung Nguyên:
https://www.academia.edu/29074218/Trung_Nguy%C3%AAn?fbclid=IwAR31
377c5R9Wi85Lqezr19-EPW_772oRTEw0xTbD2oi9pVc0MqSqTlEbxtA
eco-zenergy. (n.d.). From Giải pháp quản lý tổng thể thiết bị – OEE: https://eco-
zenergy.com/product/giai-phap-giam-sat-hieu-qua-may-san-xuat/
marvyco. (n.d.). From How to apply AR VR into Food & Beverage (F&B) industry:
https://marvyco.com/en/branch/how-to-apply-ar-vr-into-fb-industry
Minh, G. N. (2022). Dự án Thành phố Cà phê được đánh giá khác biệt, truyền cảm
hứng. zingnews, https://zingnews.vn/du-an-thanh-pho-ca-phe-duoc-danh-gia-
khac-biet-truyen-cam-hung-post1389590.html.

17
Nghị, B. V. (n.d.). LuanVan.co. From Phân tích môi trường kinh doanh của công ty cà
phê Trung Nguyên: https://luanvan.co/luan-van/phan-tich-moi-truong-kinh-
doanh-cua-cong-ty-ca-phe-trung-nguyen-7106/
studocu. (2022). From CHUỖI CUNG ỨNG CÀ PHÊ TRUNG NGUYÊN:
https://www.studocu.com/vn/document/truong-dai-hoc-thuong-mai/quan-tri-
chuoi-cung-ung/chuoi-cung-ung-ca-phe-trung-nguyen/23143111
Tâm, H. (2022, 10 1). ictvietnam. From ROS-OEE - giải pháp giám sát hiệu suất tổng
thể thông minh dành cho doanh nghiệp: https://ictvietnam.vn/ros-oee-giai-phap-
giam-sat-hieu-suat-tong-the-thong-minh-danh-cho-doanh-nghiep-53795.html
TJX. (2023, November). History. Retrieved from
https://www.tjx.com/company/history#1970
TNL. (2022). Trung Nguyên E-Coffee: Mô hình khởi nghiệp thành công. Thanh Niên,
https://thanhnien.vn/trung-nguyen-e-coffee-mo-hinh-khoi-nghiep-thanh-cong-
post1534979.html.
TNL. (2022). Trung Nguyên Legend: Từ không gian chuyên, đặc biệt cho cà phê đến
Thế giới Cà phê. Thanh Niên, https://thanhnien.vn/trung-nguyen-legend-tu-
khong-gian-chuyen-dac-biet-cho-ca-phe-den-the-gioi-ca-phe-
post1531177.html.
TNL. (n.d.). Trung Nguyên - thương hiệu biểu tượng hàng đầu của cà phê Việt Nam.
Thanh Niên, https://thanhnien.vn/trung-nguyen-thuong-hieu-bieu-tuong-hang-
dau-cua-ca-phe-viet-nam-post1077216.html.
trungnguyencoffeevn. (2022, 12). From Giới thiệu về công ty:
https://trungnguyencoffeevn.com/gioi-thieu-ve-cong-ty/
Ứng dụng AI và Big data để xây dựng giá bất động sản: Tích hợp cơ sở dữ liệu quốc
gia. (2022). diendandoanhnghiep, https://diendandoanhnghiep.vn/ung-dung-ai-
va-big-data-de-xay-dung-gia-bat-dong-san-223874.html.
vnr500. (2022). From Thông tin doanh nghiệp Tập đoàn Trung Nguyên Legend:
https://vnr500.com.vn/Thong-tin-doanh-nghiep/TAP-DOAN-TRUNG-
NGUYEN-LEGEND-Chart--309-2016.html
Vnunet, V. (2023, 12 4). From Khoa Học TV: https://khoahoc.tv/vu-danh-cap-du-lieu-
the-lon-nhat-the-gioi-13916#google_vignette
William Xu, G. G. (2023, 12 5). Security Breach: The Case of TJX Companies, Inc.
From sci-hub: https://sci-
hub.ru/10.17705/1cais.02331?fbclid=IwAR0ixarUfZIzmgSxQaJPQ_2MJ2c9J
NOjPIohaG8j8hq1WuFAxkB1hbuTWKc
Wu, F. (2023, 12 3). Academia Edu. From https://www.academia.edu/:
https://www.academia.edu/6921805/Harvard_Business_Review_Case_Analysi
s_Security_Breach_at_TJX_908E03_PDF_ENG_from_Strategic_Role_of_IT_

18
perspective_Presenting_an_analysis_of_the_HBR_case_Security_Breach_at_T
JX_908E03_PDF_ENG_from_Strategic_Role_of_IT_pe

19