Industry standards were not sustained by TJX. PCI Data Security Standard 3.4 requires that at minimum, the customer's "primary account number" (i.e., the customer's card number) be "rendered unreadable (Berg, Freeman, & Schneider, 2008)." Furthermore, PCI Data Security Standards 3.5 and 3.6 require merchants to protect the encryption keys used for protecting customer data from disclosure and misuse (Berg, Freeman, & Schneider, 2008).
You protect the loss of confidentiality by ensuring that data is not disclosed to unauthorized users (Gibson, 2012) and in this case, it was not protected. Even though they authenticated users within their organization, they did not have anything in place that prevented intruders from getting access to their employees’ user ID’s and passwords. The fact that they were using a WEP wireless network connection did not protect against loss of confidentiality and this gave the intruders access. The loss of integrity prevents any unauthorized or unwanted modification of data (Gibson, 2012). Loss of integrity was not protected either, for it took years for TJX to notice that their system had been infiltrated by hackers. They were creating their own ID’s and passwords and the gatekeepers were clueless. Preventing the loss of availability ensures that the information technology (IT) systems and