Tjx data breach case study

ISSUES IN ACCOUNTING EDUCATION American Accounting Association Vol. 26, No. 3 DOI: 10.2308/iace-50031 2011 pp. 521–545

Breach of Data at TJX: An Instructional Case Used to Study COSO and COBIT, with a

Focus on Computer Controls, Data Security, and Privacy Legislation

Sandra J. Cereola and Ronald J. Cereola

ABSTRACT: Internal control frameworks (ICF) provide a basis for understanding controls in an organization and for making judgments about the effectiveness of controls. The Sarbanes-Oxley Act of 2002 (SOX) requires companies to report, on an ongoing basis, the effectiveness of their internal controls in their annual filings. The Securities and Exchange Commission (SEC) recommends companies use ICF to help achieve compliance with SOX. ICF provide a useful tool for management and auditors evaluating and addressing the adequacy of controls in their organization. As there is no such thing as a ‘‘risk-free’’ enterprise, developing an understanding of ICF is important for students entering the accounting profession. This instructional case provides students the opportunity to assess internal control risks within an organization’s information system using a ‘‘real-world’’ problem following COSO (SEC-recommended ICF) and/or COBIT as a guide. Students then evaluate the organization’s overall level of internal control risks and formulate recommendations for mitigating such risks.

Keywords: internal controls; COSO; COBIT; internal control framework; data security.

THE CASE: TJX SECURITY BREACH

Y ou are a recent graduate and have accepted an accounting position with one of the big

accounting firms in Massachusetts. Prompted by the discovery of a computer breach of

their corporate systems, TJX Companies (hereafter, referred to as TJX) hires your firm to

review and assess the internal controls related to their information security program and to advise them

as to whether they are in compliance with applicable laws and regulations. As one of your first

assignments, you are placed on the TJX task force. This assignment requires you to use your

knowledge of internal control frameworks (ICF), including the Committee of Sponsoring

Organizations Integrated Framework (COSO) (1992), the Control Objectives for Information and

Sandra J. Cereola is an Assistant Professor and Ronald J. Cereola is an Assistant Professor, both at James Madison University.

Published Online: August 2011

521

related Technology framework (COBIT), state and federal compliance laws1 and other applicable

federal and state information security laws and regulations,2 as well as supplemental evidence, which

you will be required to discover through research of credible sources and cite in your report, to analyze

the case narrative provided on TJX. Upon your review, you are required to prepare a comprehensive

written report discussing your evaluation of TJX’s internal controls. The report will first be presented to

your firm’s top management team and then in summary to TJX’s management team.

In preparation for your involvement with this task force, you are required to review the internal

control framework(s) that you are assigned to use to assess compliance (i.e., COSO and/or COBIT).

The focus of your review will be only on those aspects of COSO and/or COBIT that are significant

to financial reporting and information security.

Company Background

TJX is one of the largest international off-price apparel and home fashions retailers in the U.S.,

with over 2,700 stores worldwide at the end of fiscal 2009. Based in Framingham, Massachusetts,

the company was founded in 1956 as Zayer’s discount department stores. Diversifying into

specialty retailing, the company acquired Hit or Miss in 1969 (an off-price fashion clothing chain

for women), and opened its first T.J. Maxx store in 1977 (modeled after the Marshalls chain, an off-

price fashion store for the whole family). Other TJX ventures in the off-price fashion market

included acquisitions of companies such as Chadwicks of Boston, B.J.’s Wholesale Club, and

Home Club. In 1987, Zayer went public, organizing as TJX Companies Incorporated (found on the

NYSE under the ticker symbol TJX). In 1996, TJX is added to the Standard & Poor’s S&P 500, and

by 2009 the company is ranked 119th in the Fortune 500.

Since its inception, TJX’s operations have remained steadfast. Based on the 2009 annual report, the

company operates five business segments (three reside in the U.S., and one each in Canada and Europe),

including eight retail chains. Each segment has its own administrative, buying and merchandising, and

organization and distribution network. The eight retail chains include T.J. Maxx, Marshalls, Home

Goods, A.J. Wright, HomeSense-Canada, StyleSense, T.K. Maxx, and HomeSense-Europe, selling

brand name items ranging from family apparel, accessories, bedding, and furniture to jewelry, beauty

products, and housewares. TJX’s core-target customer includes the middle- to upper middle-income

shopper. Consolidated net sales in 2009 were over $20 billion, total assets over $7 billion, and operating

cash flows over $2 billion (for financial information, visit TJX Companies website).

Among the key success factors for TJX’s rapid growth are its flexible business model and its

corporate culture. TJX’s culture centers on the management and staff acting with integrity, and

emphasizes that all people must be treated with dignity, respect, and caring. They operate under the

Remember Everyone Affects Customer Happiness (REACH) philosophy, which is dedicated to

providing customers, vendors, and co-workers with a level of caring that goes beyond stakeholder

expectations. Further, it is a culture in which success is measured not only on delivering results, but

also on how those results are achieved.

Information Technology

The success of TJX depends critically on their operational performance and the information

systems upon which their operations are based. Success, therefore, depends on TJX’s ability to have

1 Key laws include the Sarbanes-Oxley Act (SOX), Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), and Children’s Online Privacy Protection Act (COPPA).

2 Other regulations promulgated by the Payment Card Industry (PCI), Federal Trade Commission (FTC), and individual states.

522 Cereola and Cereola

Issues in Accounting Education Volume 26, No. 3, 2011

information systems that permit them to maintain a flexible business model, engage in opportunistic

purchasing, maintain an efficient inventory management system, and maintain low-cost operations.

As is prevalent in today’s businesses, TJX relies heavily on its information systems and, thus,

the ability to operate such systems efficiently and effectively has a significant impact on their

overall business operations. Implementing effective internal controls that ensure data reliability,

security, and confidentiality, along with an adequate disaster recovery plan, is essential for ongoing

operations and for reducing litigation risk.

Operations at TJX in 2009 include 19 distribution centers (13 located domestically and six

internationally). Information systems are managed through corporate computer networks and in-

store networks. The networks are linked worldwide, connect corporate headquarters with each

store, and are used for administrative purposes, as well as for processing sales transactions. These

networks also provide access for wireless devices used at each store.

In its daily operations, TJX uses computer networks to collect transaction information,

including personal information from customers as needed for credit card and debit purchases,

personal check verification, and un-receipted returns. Examples of data collected include credit/

debit account numbers, expiration dates and electronic security codes for payment authorization,

bank routing numbers, account and check numbers, driver’s license numbers, date of birth, name,

address, and/or other personal identification numbers (military or state documentation). The

information collected is used to obtain payment authorization and is transmitted from the in-store

networks to designated computers on the central corporate network, and from there to bank

networks. In response, the banks send authorization transmissions back to the corporate networks,

and this information is then transmitted back to the in-store networks.

The Data Security Breach

On December 18, 2006, TJX discovered an unauthorized intrusion into their computer systems

that process and store information related to customer transactions. The intrusion was identified

through suspicious software found on TJX’s computer systems. Upon discovery, TJX employed

both General Dynamics Corporation (GDC) and International Business Machines Corporation

(IBM), two leading computer security and incident response companies, to help with the

investigation.

The investigation began with an examination of TJX’s accounting information systems (AIS),

with the purpose of detecting anomalies in the system. On December 21, 2006, GDC and IBM

determined that TJX’s systems had indeed been breached and that an intruder was still in their AIS.

A security plan was set in motion designed to monitor the ongoing intrusion, protect customer data,

and strengthen the systems’ security from future attacks.

Events following the breach included TJX contacting the appropriate law enforcement

authorities, including the U.S. Department of Justice, U.S. Secret Service, and the U.S. Attorney’s

Office in Boston, Massachusetts, on December 22, 2006. Upon notification, TJX was advised by

the U.S. Secret Service not to disclose the breach publicly at this point, as it would impede upon

further investigation. On December 26th and 27th, contracting banks and debit, credit, and cash

processing companies were notified of the intrusion.

During the ongoing investigation, it was determined that personal, confidential customer

information was stolen, and that the scope of the breach spanned approximately 18 months. Public

notification of the intrusion was released on January 17, 2007, in a press release issued to the public

(for a complete copy of the press release, go to www.tjx.com and click on Investor Information and

then Press Releases; all releases are in chronological order). In the release, the Chairman and acting

Chief Executive Officer (CEO) stated:

Breach of Data at TJX: An Instructional Case Used to Study COSO and COBIT 523

Issues in Accounting Education Volume 26, No. 3, 2011

http://www.tjx.com
We are deeply concerned about this event and the difficulties it may cause our customers. Since

discovering this crime, we have been working diligently to further protect our customers and

strengthen the security of our computer systems, and we believe customers should feel safe

shopping in our stores. Our first concern is the potential impact of this crime on our customers,

and we strongly recommend that they carefully review their credit card and debit card

statements and other account information for unauthorized use. We want to assure our

customers that this issue has the highest priority at TJX.

As a result of the breach and as a courtesy to its customers, TJX established a special helpline

and created a special link on its company website which provided updated information on the

breach.

The investigation determined that the scope of the intrusion spanned from July 2005 until it

was detected on December 18, 2006. The breach occurred in computer operations at two corporate

offices, one located domestically and one internationally. Both corporate offices process and store

information related to payment card, check, and un-receipted merchandise return transactions for its

customers. Confidential customer information stored at these locations included debit/credit card

information, as well as personal customer information provided with un-receipted returns (these

included customer names and addresses, driver’s license numbers, and military/state identification

numbers, some of which were the same as the customers’ social security numbers).

Details of the examination revealed that the intruders’ initial point of access occurred in the

computer systems located in a Framingham, Massachusetts, store. Using directional antennas and a

laptop computer, the perpetrators intercepted electronic transmissions sent over TJX’s wireless

network. These transmissions included authorization requests, credit and debit card payments, and

other personal customer information. TJX’s systems, at that time, transmitted wireless transactions

using Wired Equivalent Privacy (WEP) technology. Other points of entry occurred at in-store

computer kiosks. Each kiosk is equipped with a personal computer (PC)-style system that is

directly connected to the corporate network and is used to capture jobseeker information. The

intruders connected USB drives with utility programs to these computers and then later used these

terminals to access the corporate network.

Electronic footprints left behind by the intruders on the TJX network identified encrypted

messages indicating which files had been copied. With these footprints, investigators were able to

piece together the dates as to when most of the data was stolen and found that most occurred during

peak sales periods. However, because of the technology used by the intruder, it was difficult for

TJX to determine the contents of the files that were stolen. Other evidence revealed that the

intruders used key logging technology to obtain user identification and password information from

the corporate network and then used this information to create fictitious accounts. These accounts

were later used to collect transaction information remotely.

Current Events/Financial Impact

Since the data breach, TJX has taken steps to increase computer security and protocols and

instituted an ongoing program to monitor data security. From the time of discovery, in 2006, to

2009, TJX expensed $171.5 million pre-tax related to the computer intrusion, and maintains $42.2

million reserve for future losses related to the breach.

TJX press releases highlighting the financial impact indicated: On November 30, 2007, TJX

announced an agreement with Visa USA and Visa Inc. to fund up to a maximum of $40.9 million

pre-tax in alternative recovery payments. On April 2, 2008, TJX announced agreement with

MasterCard International Inc. to fund up to a maximum of $24 million pre-tax in alternative

recovery payments. On June 23, 2009, TJX announced a settlement with a multi-state group of 41

Attorneys General relating to the data breach. In the settlement, TJX established a $2.5 million Data

524 Cereola and Cereola

Issues in Accounting Education Volume 26, No. 3, 2011

Security Fund for use by states to advance data security and technology, provided $5.5 million to

cover states’ expenses (including $1.75 million to cover investigation expenses), certified TJX’s

computer systems meet detailed data security requirements specified by states, and encouraged

development of new technologies to address vulnerabilities in payment card systems.

Other Information

Regulatory Complaints: In light of the data breach, the Federal Trade Commission (FTC) filed

a complaint against TJX Companies in 2008, indicating that they had violated the provisions of the

FTC Act (FTC 2008). The complaint alleged that TJX engaged in a number of practices that failed

to provide reasonable security of personal information in its networks and, as such, resulted in a

computer intrusion (for a complete copy of the FTC complaint, visit www.ftc.gov, click on Actions,

then Cases by Name, and search for ‘‘The TJX Companies, Inc.’’; Docket No. C-072-3055).

Payment Card Industry Standards: All organizations that accept, transmit, or store cardholder

information must follow Payment Card Industry Data Security Standards (PCI DSS) (PCI Security

Standards Council 2008). TJX utilizes commercially available systems to process payment card and

personal information. The technology used for data transmissions and approval is determined and

controlled for by the payment card industry (PCI).

CASE REQUIREMENTS AND QUESTIONS

As part of your first assignment on the TJX task force, you will be responsible for one or more

of the following case requirements listed below. Before starting the requirements, read the case

material. To successfully complete the case, you are required to obtain supplemental evidence

obtained through discovery research of credible sources external to the information provided in the

case (e.g., TJX website, TJX 10-K reports, etc.).

Assignment 1

1992 COSO Framework Assessment Requirements

Using the 1992 COSO framework, perform a robust risk assessment of the case, identifying

any internal control issues related to each of the five 1992 COSO components identified below.

Next, classify each internal control issue as a strength or weakness, and then for each weakness,

assess its risk as high, moderate, or low (high risk occurs when a company does not have any

corrective actions in place when a key internal control weakness is found, and the company suffers

a substantial loss as a result; moderate risk occurs when an internal control weaknesses is found and

the company does not have any corrective actions in place, however, only minor losses may occur

as a result; and a low risk occurs when an internal control weakness is found and is considered a

control deficiency). Finally, classify each risk as a financial, compliance, and/or operational risk

(financial refers to internal controls designed to provide reasonable assurance regarding the

reliability of the financial statements; compliance is concerned with adherence to rules, policies, and

procedures, both internal and external to the organization; and operational is concerned with the

effectiveness and efficiency of the organization’s activities and whether they help to reduce risks

faced by the organization). Use Exhibit 1 to document your work.

1. Control Environment: Includes the evaluation of both soft and hard controls. Soft controls

consist of integrity and ethical values, commitment to competence, board of directors and

audit committee, and management’s philosophy and operating style. Hard controls include

organizational structure, assignment of authority and responsibility, and human resource

policies and procedures.

Breach of Data at TJX: An Instructional Case Used to Study COSO and COBIT 525

Issues in Accounting Education Volume 26, No. 3, 2011

http://www.ftc.gov
EXHIBIT 1

Requirement 1 TJX 1992 COSO Risk Assessment Matrix

Risk Assessment (High, Moderate, or Low); Type Risk (F = Financial, C = Compliance, and/or O = Operational)

Note: When completing this requirement, additional rows may be added as needed.

COSO Component Control Issue Strength or Weakness

Risk Assessment Type Risk

1. Control Environment: TJX does not have a board of directors

information technology committee

Weakness Low F, C, O

2. Risk Assessment

3. Control Activities

4. Information and

Communication

(continued on next page)

526 Cereola and Cereola

Issues in Accounting Education Volume 26, No. 3, 2011

2. Risk Assessment: Relevant risks that can impact organizational goals and objectives are

identified and assessed. Includes risk assessment in relation to company-wide objectives,

process-level objectives, risk identification and analysis, and managing change.

3. Control Activities: Include policies and procedures in place that limit risks that may impact

organization’s objectives. Examples include activities related to security (application and

network), application change management, business continuity and backups, and

outsourcing.

4. Information and Communication: Relevant information must be identified, captured, and

communicated in a form and timeframe that allows individuals to carry out their

responsibilities. Assessment involves evaluating the quality of information and

effectiveness of the communication.

5. Monitoring: A process must exist to verify internal control systems are functioning over

time. Accomplished through ongoing monitoring, separate evaluations, and reporting of

deficiencies.

Assignment 2

2004 COSO ERM Framework Assessment Requirements

Using the COSO ERM framework (COSO 2004), perform a robust risk assessment identifying

any internal control issues related to each of the eight components identified below. Next, classify

each internal control issue as a strength or weakness, and then, for each weakness, assess its risk as

high, moderate, or low (high risk occurs when a company does not have any corrective actions in

place when a key internal control weakness is found, and the company suffers a substantial loss as a

result; moderate risk occurs when an internal control weaknesses is found and the company does

not have any corrective actions in place, however, only minor losses may occur as a result; and a

low risk occurs when an internal control weakness is found and is considered a control deficiency).

Finally, classify each risk as a financial, compliance, and/or operational risk (financial refers to

internal controls designed to provide reasonable assurance regarding the reliability of the financial

statements; compliance is concerned with adherence to rules, policies, and procedures, both internal

and external to the organization; and operational is concerned with the effectiveness and efficiency

of the organization’s activities and whether they help to reduce risks faced by the organization). Use

Exhibit 2 to document your work.

EXHIBIT 1 (continued)

COSO Component Control Issue Strength or Weakness

Risk Assessment Type Risk

5. Monitoring

Breach of Data at TJX: An Instructional Case Used to Study COSO and COBIT 527

Issues in Accounting Education Volume 26, No. 3, 2011

EXHIBIT 2

Requirement 2 TJX 2004 COSO ERM Risk Assessment Matrix

Risk Assessment (High, Moderate, or Low); Type Risk (F = Financial, C = Compliance, and/or O = Operational).

Note: When completing this requirement, additional rows may be added as needed.

COSO ERM Component Control Issue

Strength or Weakness

Risk Assessment

Type Risk

1. Internal Control

Environment

TJX does not have a board of directors

information technology committee

Weakness Low F, C, O

2. Objective Setting

3. Event Identification

4. Risk Assessment

5. Risk Response

(continued on next page)

528 Cereola and Cereola

Issues in Accounting Education Volume 26, No. 3, 2011

1. Internal Environment: Encompasses the tone of the organization, sets the basis for how

risk is perceived and addressed.

2. Objective Setting: Ensures management has in place a process to set objectives that

support and are in line with the entity’s mission and are consistent with their risk appetite.

3. Event Identification: Identifies internal and external events that may impact the

achievement of an entity’s objectives, distinguishing between risks and opportunities.

4. Risk Assessment: Analyzes risks, considering the likelihood and impact as a basis for how

risks should be managed.

5. Risk Response: Management selects a risk response: avoiding, accepting, reducing, or

sharing risk; develops a set of actions aligned with the entity’s risk tolerance and appetite.

6. Control Activities: Include policies and procedures in place that limit risks that may impact

the organization’s objectives. Examples include activities related to security (application

and network), application change management, business continuity and backups, and

outsourcing.

7. Information and Communication: Relevant information must be identified, captured, and

communicated in a form and timeframe that allows individuals to carry out their

responsibilities. Assessment involves evaluating the quality of information and

effectiveness of the communication.

EXHIBIT 2 (continued)

COSO ERM Component Control Issue

Strength or Weakness

Risk Assessment

Type Risk

6. Control Activities

7. Information and

Communication

8. Monitoring

Breach of Data at TJX: An Instructional Case Used to Study COSO and COBIT 529

Issues in Accounting Education Volume 26, No. 3, 2011

EXHIBIT 3

Requirement 3 TJX 2007 COBIT Risk Assessment Matrix

Risk Assessment (High, Moderate, or Low); Type Risk (F = Financial, C= Compliance, and/or O = Operational)

Note: When completing this requirement, additional rows may be added as needed.

COBIT Component Control Issue Strength or Weakness

Risk Assessment

Type Risk

1. Plan and Organize (IT

environment)

Assessment of Risks—lack of control

over information technology

environment

Weakness High F, C, O

2. Acquire and Implement

(program development

and change)

3. Deliver and Support

(computer operations

and access to programs

and data)

(continued on next page)

530 Cereola and Cereola

Issues in Accounting Education Volume 26, No. 3, 2011

8. Monitoring: A process must exist to verify internal control systems are functioning over

time. Accomplished through ongoing monitoring, separate evaluations, and reporting of

deficiencies.

Assignment 3

2007 COBIT Framework Assessment Requirements

Using the 2007 COBIT framework related to each of the four domains identified below,

perform a robust risk assessment identifying any internal control issues related to the use of

information technology. Next, classify each internal control issue as a strength or weakness, and

then, for each weakness, assess its risk as high, moderate, or low (high risk occurs when a company

does not have any corrective actions in place when a key internal control weakness is found, and

the company suffers a substantial loss as a result; moderate risk occurs when an internal control

weakness is found and the company does not have any corrective actions in place, however, only

minor losses may occur as a result; and a low risk occurs when an internal control weakness is

found and is considered a control deficiency). Finally, classify each risk as either a financial,

compliance, and/or operational risk (financial refers to internal controls designed to provide

reasonable assurance regarding the reliability of the financial statements; compliance is concerned

with adherence to rules, policies, and procedures, both internal and external to the organization;

and operational is concerned with the effectiveness and efficiency of the organization’s activities

and whether they help to reduce risks faced by the organization). Use Exhibit 3 to document your

work.

1. Plan and Organize: Define strategic plan, identify IT that may contribute to the

achievement of business strategy/objectives, ensure compliance with external require-

ments, assess risk, and manage projects.

2. Acquire and Implement: Acquire, develop, and implement IT solutions identified.

3. Deliver and Support: Concerned with the delivery of required services, including support,

training, education, security, and continuity. Manage configuration, data, facilities

operations, and problems.

4. Monitor and Evaluate: Assess IT for quality and compliance (management oversight,

independent assurance by internal and external sources, independent audit).

EXHIBIT 3 (continued)

COBIT Component Control Issue Strength or Weakness

Risk Assessment

Type Risk

4. Monitor and Evaluate

(IT environment)

Breach of Data at TJX: An Instructional Case Used to Study COSO and COBIT 531

Issues in Accounting Education Volume 26, No. 3, 2011

E X

H IB

IT 4

R eq

u ir

em en

t 4

1 9

9 2

C O

S O

-2 0

0 7

C O

B IT

M a

p p

in g

M a

tr ix

N o

te :

W h

en co

m p

le ti

n g

th is

re q

u ir

em en

t, ad

d it

io n

al ro

w s

m ay

b e

ad d

ed as

n ee

d ed

.

C O

B IT

C o

m p

o n

en t

C O

S O

C o

m p

o n

en t

C o

n tr

o l

E n

v ir

o n

m en

t R

is k

A ss

es sm

en t