tjx

I promissed you a report from my guest lecture at the Norwegian school of Management BI.

First, thank you to all of you who gave me ideas and input to the workshop! Invaluable! And I thank a great deal of the success to you! You all know who you are!

On to the report then.

I was given the opportunity to host a guest lecture for the third year bachelor students at the Norwegian school of management BI. The study is a bachelor in IT management – i.e. these students are going to be the next generation CIO's, IT-managers and IT-directors out there.

Some of you might scream;

“Oah – what the hang glider – white-collars to be the IT-managers??? What about the nerdy-ness required? What about their technical knowhow? Do they even know how to configure a firewall?”

First of all – the CIO, the IT-director and the IT-manager – those are managerial jobs. Those are there to handle the business side of ICT. Those are there to execute the business strategy of ICT. The sooner you realize that, the better.

Secondly – the study is very interesting indeed. Agreed, they do not dwelve deeply into firewall administration – but they do dig into technology, ICT and the students are genuinely interested in the geeky side of things.

Thirdly – they bring business understanding and value to the table. They have been thought budgeting, reporting and economical analysis. They understand the relation between business goals, and the relevance those has to ICT.

So IMO, this study is very important and relevant. It provides the market with IT-managers with a sound combination of business understanding AND ICT-interest. These boys and girls can set up a network, while discussing implementation of business strategy with the CEO.

Now that is out of the hat, and I can move on :)

I got approval from Renny – the lecturer of the class – to run my guest lecture as a workshop. The purpose was simple – to actually have the students working instead of just listening or surfing.

I based the workshop upon the TJX case. I took some of the facts, without telling them that this was a true case of course. The facts I gave them included the size and time frame of the breach, and then I asked them to discuss the possibility of this being true or not.

As expected, discussion was on.

I then added some more details, and they where to role play being the the company, and decide what they should have done to prevent this to happen. They had to incorporate some theory that they where supposed to have studied too. This exercise was in groups of 4, and they spent some time finding the answers. A healthy discussion and plenum summary followed. Many great ideas and they realized the complexity of such a case.

Their last task was given them after I told the truth, and some more details. The task was to be the upper management, in the days after the breach was publicly known. They would have to decide what to do now – and the focus is of course to make the best business possible.

Taking into consideration that they where students, with no or little knowledge of running such huge operations as TJX are, they did very well indeed. Most importantly, I think they learned that business is about making a profit, while reducing risks.

According to the feedback after the session, the students enjoyed the workshop.

I know I loved the opportunity, and had great fun.

TJX have turned a potential fatal breech into a profitable venture. A quick recap:

• In January 2007, the news broke loose that hackers had gained access to TJX sentrally stored customer data, resulting in the theft of 47 million credit card numbers (amongst other privacy data). Everyone can see that has to be bad for business.
• Then it turns out that the hackers had been doing this for over a year. Ouch. That gotta hurt real bad too.
• After a while, we learn that the hackers gained access through a (unprotected – using WEP) wireless network at one of the shops. Did I say unprotected? Oh. That hurts again. Then again, this was back in the stone age – aka summer of 2005.

We should be expecting TJX to suffer big time. Media has been all over this case. Bloggers too. I have been no better.

It would be reasonable to expect TJX to suffer lower revenue stream. A weaker company would have fallen over. And consumers would turn their backs to the shops.

But only some of this happened. Lets see the status per october 2007 (from Yahoo Finance):

• TJX has a revenue stream of $4.1B and $4.3B the first two quarters 2007, and $5.1 Q4 2006. If they continue to increase the revenue in Q3, and do a strong Q4 – as you will expect as it is the xmass and end-of-year – they will do as good as 2006, or even exceed those $17.44Billion revenue from 2006. Not a huge loss, nothing near the expected anger from the consumers.
• What if we look at growth rate? The past three years, TJX has grew with aprox. one US$billion per year. They risk not to grow with that amount this year – but as we saw above, they look to target or exceed revenue from 2006. It seems TJX will ride the storm well.
• Lets take a look at the profit, then. Even if the consumers don’t seem to abandone TJX, surely there must be expenses? And surely there are – some will show up this year, most will not (see next bullet). Profit. (in thousands)
  Q3 2006: 1.114,316
  Q4 2006 (ends jan. 27): 1.159,153
  Q1 2007 (ends apr. 28): 990,866 – so there is 170 million drop in the first quarter after the breech go public. And considering this is the first quarter of the year, this is not a dramatic drop.
  Q2 2007 (ends jul. 28): 1.035,601
  It seems to me that profit is not affected in the dramatical way we should be expecting.
• Risk can be transferred. It is called insurance. Someone else will pay a large amount of the bill.
• What about the law suits, I hear you ask. TJX is quick there too – they have offered a check of $20 and a gift voucher to all affected customers. They initially tried to be a bit more dirty – a $50 gift voucher and no check, but that was too obvious. What happens with a gift voucher? You go to the store and spend it. Along with some other cash – there is plenty of stuff to buy, and when you are in the shop in the first place, why not do some spendings. TJX know. After all, they are in the consumer market space!
• Market value? Well, the consumers don’t seem to care much.
• The share holders? Surely they must have run away? Hah, no, 2007 is their best year ever. TJX shows a steady growth of value, and the bad news in January could not take the shares down to June 2006 values. TJX is nothing but a money machine.
• What about the breech in the first place? Well, this was in 2005, a WEP protected WIFI point was hacked. Most of my readers would know how to do that themselves – and in less than 10 minutes. If you don’t, take my word for it. WEP does give you protection against those who do not know how to hack it, though.

You may do a risk assessment, and determine that the risk of a hacker hacking you is so small, you will risk it. If you do, that is exactly what you are supposed to do – evaluate the risk at hand, and treat it accordingly.

I suspect that TJX did evaluate the risk, and did make a valid decision. After all, they did start to implement WPA only a few months after the initial breech.

I have to admit - they seem to be doing all the right things. From a business point of view, they are. They are analysing the situation, evaluating options, and choosing the road to minimize risk and maximize profit.

And it seems like they are pulling it off too! Congratulations to TJX!

Oh, the TJX. No, I guess I never get tired of it!

This time, I will just point you to this important message from the president and CEO they made oct. 11.

There, Carol Meyrowitz, the President and CEO, says:

"To learn more about steps you can take to protect your credit and debit card information, I encourage you to access the information we are providing on this website or to contact our special customer helplines listed below."

Sorry Carol, I do not think I trust TJX enough for your advices about CC information. At least not MY CC information.

Need I remind you that it never was your CUSTOMERS who messed up? Your customers decided to TRUST you and your companies to handle the CC information. I bet the customers did take necessary precautions and common sense - how could they be expected to be prepared for YOUR breach?

I advice you to do the right things - learn from your own mistakes and fix them - not divert the attention by teaching your customers how to do things they do much better than you ever did.

------------------------------------------------------------------------

Due to the nature of the document, I have pasted the text below too:

LETTER FROM TJX’S PRESIDENT AND CEO October 11, 2007 To Our Valued Customers: At TJX, our first priority always has been and continues to be, our customers. I want each of you to know how much I personally and, on behalf of the Company, regret any difficulties you may have experienced as a result of the criminal attacks on our computer systems announced earlier this year. Importantly, we truly appreciate that you have continued to place your trust in us with your loyalty and patronage. We remain committed to providing our customers a safe shopping environment as you shop for great values, fashion and brands. TJX has been working diligently with some of the world’s best computer security firms to further enhance our computer security. We have also continued to work with law enforcement and government agencies and very much want to see that the sophisticated cyber criminals who attacked our computer systems are brought to justice. We have worked diligently to reach a settlement, which we believe would offer an excellent resolution for our customers, addressing the different ways that they have told us that they have been impacted by the computer intrusion(s). (Like all class action settlements, our settlement is subject to Court approval and other conditions, and therefore, customers cannot yet seek benefits.) We have provided a separate link, below, to additional information regarding the proposed settlement. To learn more about steps you can take to protect your credit and debit card information, I encourage you to access the information we are providing on this website or to contact our special customer helplines listed below. Once again, we sincerely regret any inconvenience you may have experienced as a result of the attacks on our computer system. We are deeply grateful for your continued trust and patronage. Respectfully, Carol Meyrowitz President and Chief Executive Officer     INFORMATION ABOUT PROPOSED CUSTOMER CLASS ACTION SETTLEMENT Click here to view Additional Information about Proposed Customer Class Action Settlement; Subject to Court Approval and Other Conditions. INFORMATION ABOUT INTRUSION(S) View Frequently Asked Questions (FAQs) Click here to view the 2/21/07 Press Release Click here to view the 1/17/07 Press Release Helpful Information for Customers: TJX has special, toll-free helpline numbers in the U.S., Canada, the U.K., and Ireland, to assist customers with concerns about the computer intrusion(s) and to answer questions about the proposed customer class action settlement, which is subject to court approval and other conditions. In the United States: Toll-free help line: 866-484-6978 Available Monday through Friday from 8:00 am to 8:00 pm and Saturday from 9:00 am to 5:00 pm Eastern time. Click here to view Recommended Steps Click here to view Other Resources Haga clic aquí para obtener información en español. In Canada: Toll-free help line: 866-903-1408 Available Monday through Friday from 8:00 am to 8:00 pm and Saturday from 9:00 am to 5:00 pm Eastern time. Click here to view Recommended Steps and Other Resources Cliquez ici pour des renseignements en français. In the United Kingdom and Ireland: Toll-free help line: Callers in the UK* should call 0800 779015 Callers in the Republic of Ireland should call 00 44 800 779015 * (England, Wales, Scotland, N Ireland) Available Monday through Friday from 8:00 am to 8:00 pm and Saturday from 9:00 am to 5:00 pm Eastern time. Click here to view Recommended Steps and Other Resources Any customers who would like to contact TJX Customer Service: Please email TJX Customer Service at: customerservice@tjx.com

The TJX case still keeps me busy, and I just came about this Wall Street Journal reprint. It is well worth a reading, as it taps into the details.

An auditor pointed to the lousy security in september 2006:

"The auditor told the company last Sept. 29 that it wasn't complying with many of the requirements imposed by Visa and MasterCard, according to a person familiar with the report. The auditor's report cited the outmoded WEP encryption and missing software patches and firewalls. "

According to attorney Eric J. Sinrod over at Techrepublic, TJX have spent US$12mill. for costs incured after the security breech. That is in addition to US$3 prior to the fourth quarter.

And - that is in addition to brand value, possible lawsuits, and security investments.  I wonder what the price of securing TJX before the event would have been? Any ideas?

Identity theft has been on the news for a while. TJX, CitiBank and many others have been exploited in the past. Facebook, LinkedIn and Myspace all adds to the information available. Combining the sources of information on search engines like Zoominfo and Naymz makes it so much easier to make a complete profile on just about anyone – and use that information in social engineering. 

One large challenge when it comes to technology and security is the fact that (many) people are lazy and wants the tools that enables them to do as little as possible, with as little effort possible. Large enterprises employs many such people, and has only a few options to controll them. Especially in remote locations. This is where enterprises uses policies to enforce how to implement systems and behaviour.

According to this Register post and Walls street Journal, the TJX credit card breech was done by simple wardriving towards one of its outlets in St. Paul, Minnesota. It is amazing how large corporations tries to maximize profit by reducing security. In this particular case, the wireless network was not secured, and allowed wardrivers to intercept the trafic. This kind of setup should not even be used to secure your home-based network - so one may wonder how a large corporation can allow for so poor security.

Ted is one of those persons with strong feelings of right and wrong. This is especially shown trough his involvement in the security business. He has over 25 years of experience from IT and business, including a Security company start-up.

Read more about Ted and his background on his website.