The insecure wireless network at a Marshalls discount clothing store near St. Paul, Minn. may have allowed hi-tech attackers to gain a beachhead in retail giant TJX Companies' computer network, resulting in the theft of information on at least 45.6 million credit and debit cards, the Wall Street Journal reported on Friday.
While TJX's other systems were upgraded to Wi-Fi Protected Access (WPA), the Marshalls store's wireless network connecting credit-card processing hardware to the company's server was not, investigators working on the case told the WSJ (subscription required).
"It was as easy as breaking into a house through a side window that was wide open," said a person familiar with TJX's internal probe, according to the WSJ article.
The wireless industry's first attempt at wireless network security, known as Wired Equivalent Privacy (WEP), became well-known among security experts for its hackability. In 2003, two men were arrested and later convicted on charges of using a wireless network to attempt to hack into a Lowe's home improvement store's processing system. Insecure wireless networks are thought to be responsible in data theft that occurred at other retail stores in 2005 and 2006.
In January, TJX companies -- the owner of T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico and Winners and HomeSense stores in Canada -- acknowledged that online attackers had apparently stolen credit and debit card data from its processing systems. In March, the company estimated that information on at least 45.6 million credit and debit cards had been stolen by the thieves, but the Wall Street Journal quoted investigators claiming that as many as 200 million accounts may have been compromised. Authorities in Florida have blamed a ring of fraudsters using cards bought from the TJX thieves for an $8 million gift-card fraud scheme. Banks, which have to foot the bill to replace their customers' credit and debit cards after such compromises, have sued TJX Companies.
The Wi-Fi Industry Alliance strengthened the security when it introduced the WPA specification in 2002 and started certifying wireless network devices as WPA compliant in early 2003. The TJX companies has previously stated that the intrusions into its network started in July 2005.
Posted by: Robert Lemos