Leave a comment

Research Article On Information Security Controls


                       TJ MAXX COMPANY

Mina Kazmi


Identity theft or impersonation simply means faking someone else’s identity, or appearing to be somebody who you are not in real. A significant number of serious cases have been reported that reveal a strange fact that, the boom of Internet provided one of the largest platforms for huge frauds like Identity Theft. This research article caters the aspects of a humongous scandal of Identity Theft which occurred in a U.S based company TJ Maxx, a major clothes retailer in U.S. Identity theft causes massive damage not just to the integrity of a company but it also deteriorates the reputation and trust of its customers. This research article discusses the damage caused by the Identity Theft, security lapses due to which such a fraud emerged, and also precautionary measures that can be acquired by a/an company/organization to avoid the obliteration that can be caused due to negligence and denial of threats/risks.



A threat is generally stated as a potential violation of security. TJ Maxx, a renowned department store of U.S confronted several threats and not just that it also encountered one of the biggest security transgressions. The possibility of violation i.e. the threat was overlooked back then and it resulted in a breach of security.

In 2007, the company unraveled a computer security breach dating back to 2005. Hackers gained access to information on more than 45 million credit and debit cards for transactions since January 2003 (Identity Theft Awareness, 2011).

The threats company had to confront were of various sorts. Out of the four broad categories of threats (Disclosure, Deception, Disruption and Usurpation) one that posed a serious impact was Deception. With threats, vulnerabilities come into the big picture as well, eventually resulting in greater Risks. Due to the negligence of the concerned authorities threats lay pathways for risks. Deception was a humongous threat to the company and it caused harm to their business as well. The lack of vigilance and inefficient surveillance were major reasons which led to security violation.

Whenever a breach of security is experienced, the core security concept i.e. The CIATriad (Confidentiality, Integrity and Availability) is brought into the scene. Confidentiality simply means data viewable to those who are authorized. Confidential data/information when leaked, serves as a violation ofCIA Triad. Transgression occurs because of the lack of any one of the elements ofCIA Triad. In this scandal, the breach of Confidentiality attributed to harm the company. Nearly, 45 million debit/credit cards transactions were illegally accessed and perverted from the company’s computers.  


Literature Review:

Impersonation or identity theft is an unlawful act that has become quite customary on the global scale. People steal identities of others and misuse it in illegal affairs.

The chief contributing factors that trigger such security lapses mainly are increased usage of internet. It provides a fair platform for impersonators to get indulged in such destructive activities, lack of awareness pertaining to risks/threats, software bugs, unencrypted network traffic, availability of crack tools, complexity of security measurements and administration, etc.

Such compromises in security check leads to repercussions which can be fatal in the growth of a/an business/organization. The loss company experienced could have been tackled in the first place if proper measures of security check were outlined. The frailty of few organizations is that they overlook the information security concerns. This negligence or denial on their part leads to, infringement, impersonation, unauthorized access to confidential information, malicious attacks, email forgery, sniffing through the networks’ traffic, exploiting software bugs, etc.

These are some of the concerns that should be acknowledged and a proper system should be devised and maintained to gain complete control over the system. In addition to it, strict precautionary measures should be enacted to avoid intruders/hackers penetrating into the systems.


The TJ Maxx Company faced this plight in July 2005. Hackers managed to get access to the computer systems of the company. Around 45 million credit/debit cards, accounts and their transactions along with personal information of the customers were stolen. It was revealed that these accounts belonged to the customers who purchased items from January 2003 to November 2003; however the company didn’t discover the theft until 2007 (Identity Theft Awareness, 2011). The scandal vividly highlights that confidentiality was breached in this affair. The personal data/information of the customers which was confidential in nature was misused. The intruders/hackers got access to the computer systems of the company, got hold of the company’s private data and breached their confidentiality entirely.


The investigation on this case led to the arrest of people from different nationalities, stating it as an international identity theft case. The individuals arrested included 3 in the US, 3 in Ukraine, 2 in China, 1 in Belarus, 1 in Estonia and another who remained to be apprehended (Identity Theft Awareness, 2011).

On further investigation it was unraveled that the mastermind behind this case was Albert Gonzalez, who is accused of masterminding the combined credit card theft and subsequent reselling of more than 170 million card and ATM numbers from 2005 through 2007—the biggest such fraud in history. Gonzalez and his accomplices used SQL injection techniques to create malware backdoors on several corporate systems in order to launch packet sniffing (specifically, ARP Spoofing) attacks which allowed him to steal computer data from internal corporate networks. Gonzalez and 10 others sought targets while wardriving and seeking vulnerabilities in wireless networks along U.S. Route 1 inMiami (Wikipedia, Albert Gonzalez, n.d.).


Preventive procedures must be outlined in order to evade from such a case. Risk management is one of the feasible preventive procedures or approaches that are highly recommended to be taken as a major step in the context of avoidance. Managing risks simply means identifying the threats/vulnerabilities/risks that are prevalent in a system. Identification of risks leads us with half the task done, because it’s more likely that if only we analyze and identify the problem we can deduce better approaches to counter-act an arduous situation. By evaluating which steps are cost-effective, we eventually lead to a better understanding of mitigating it. It’s advisable to strengthen the risk management system to avoid an unforeseen attack by an intruder.



The cases referring to Identity Theft prevail because of incompetent information security systems. The confidential data/information is meant to be concealed. A system needs to be devised up that can prevent any hacker/intruder to encroach in the bounds of a system. In addition to it, internal controls should also be implemented that can minimize the chances of unauthorized access to the concealed information. Risk analysis is one of the significant steps that are to be considered to lessen the influence of intruders in a system. By the term Risk Assessment (or Risk Analysis) we mean, analyzing the impact of a risk/threat and also discovering the reasons that can serve as a violation. It revolves around the pros and cons of a method i.e. to be implemented to curb the intensity of risk/threat. The cost-effective method is then implemented in the forth-coming phase/process.


Risk Mitigation is another broad term/phase/process i.e. used in the similar context. By Risk Mitigation we mean to reduce the chances of an impact or threat occurring in a certain system. To mitigate the threats, internal controls is the first aspect that needs to be developed. Internal control means a measure that’s taken to detect, prevent or mitigate the risk associated with a threat. The internal controls are of three major types (i.e. Preventive, Corrective and Detective controls). In this scandal, the control that blends in well with the situation is the Corrective Control. The company emerged with a set of corrective controls that can prevent similar situations in future.

Businesses must constantly consider their risks and assess their internal controls to prevent costly incidents and their unintended consequences. TJ Maxx spent over $130 millions to deal with the consequences of this international identity theft case (Wikipedia, n.d.).


The measures that must be acquired are, incorporating the devices such as routers, firewalls, authentication of hardware/software, encryption and intrusion detection system that can detect and avoid any outsider to breach the confidentiality of the system. Objects such as an application/user/ process should be given least privileges or access. Concealment of data/information leaves no room for the intruder to encroach in. Layered Security approach should be incorporated. Never rely on a single mechanism. More complex the system you have devised up the complicated it becomes for the hacker to penetrate into the system. Using the products (such as firewalls etc.) from different vendors can assist in establishing a powerful security system. Network authentication protocol such as Kerberos can be implemented for client/server environment. Digital Certificates can be incorporated into the systems to establish authenticity of a user.



Identity-Theft-Awareness, 2011, Identity Theft Awareness [online] (Updated 26 August, 2011)

Available at: <http://www.identity-theft-awareness.com/tj-maxx.html> [Accessed 29 August, 2011]


Wikipedia, N.D, Identity Theft [online], N.D, Available at: <http://en.wikipedia.org/wiki/Identity_theft> [Accessed 6 September, 2011]


Wikipedia, N.D, Albert Gonzalez [online], N.D, Available at: <http://en.wikipedia.org/wiki/Albert_Gonzalez> [Accessed 8 September, 2011]


About Author:

Mina Kazmi, Student at NUCES-FAST.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: