
What the intruders either learned or physically planted that day helped them later hack into TJX’s main database, where they quietly pilfered data for two years and ended up executing the largest data breach in the nation’s history.
Investigators told the newspaper that the St. Paul, Minn. Marshalls location was running a wireless network protected by the weak Wired Equivalent Privacy (WEP) industry standards, which have since been superseded by the more robust Wi-Fi Protected Access (WPA) guidelines.
TJX operates more than 2,000 discount retailers, including hundreds of Marshalls.
Gartner Vice President and Senior Fellow John Pescatore told SCMagazine.com that the replacement standards - required under the Payment Card Industry mandates - are much more secure than WEP, which was "riddled with holes," he said.
"The encryption to keep someone from breaking in was done very poorly in this first generation," he said. "It's no better than [no security at all]. This is something I would have thought an audit would've caught."
According to the newspaper, the hackers used an antenna, a common tool used to retrieve a wireless signal from a distance, Pescatore said.
He said he has heard of people creating antennae out of Pringles potato chip cans - and several websites offer instructions on how to do so. Then, he said, "all it takes is a laptop with Windows XP and it tells you what access points it can hear. It doesn't take any special equipment."
The hackers may have planted some malware on the network that day to help them later access the central database, or they may have stolen certain data that allowed them to later intrude, Pescatore said.
"The basic issue is if you connect to an access point that puts you on the network, it's just as good as if you broke into their data center and sat down on a PC," Pescatore said. "You're on their network."
The incident highlights the need for business executives to understand the value of information assets, Wain Kellum, president and CEO of Atlanta-based Trusted Network Technologies, told SCMagazine.com.
He said that in many cases "fairly low-level network engineers" create wireless policies without any understanding of risk or financial impact to the organization if there is a breach.
"Management people are now starting to get aware that they have to participate in the dialogue," Kellum said.
A TJX spokeswoman could not be reached for comment today.
Since the breach, the Federal Trade Commission has launched an investigation, and three New England banking associations filed a lawsuit seeking to recoup costs associated with fraudulent purchases.
However, TJX has reported no negative effect on sales, which rose during the first quarter of this year.