Weak wireless security to blame, reports WSJ...
By Tom Espiner
Published: 9 May 2007 09:51 GMT
Hackers who stole 45 million customer records from the parent company of TK Maxx did so by breaking into the retail company's wireless LAN , it has emerged.
TK Maxx's parent company, TJX, had secured its wireless network using WEP (wired equivalent privacy) - one of the weakest forms of security for wireless LANs. Hackers broke in and stole the records - which included millions of credit card numbers - in the second half of 2005 and throughout 2006.
According to The Wall Street Journal, hackers cracked the WEP encryption protocol used to transmit data between price-checking devices, cash registers and computers at a store in Minnesota. The intruders then collected information submitted by employees logging on to the company's central database in Massachusetts, stealing usernames and passwords.
With that information, the hackers set up their own accounts on TJX's system. Over the 18-month period, their software collected transaction data, including credit-card numbers, into approximately 100 large files. Transaction data sent to banks, which was unencrypted by TJX, is also believed to have been intercepted by the hackers. According to The Wall Street Journal, the attackers even left encrypted messages on the TJX network to tell each other which files had been copied.
A US Securities and Exchange Commission filing in March revealed TJX believed the attackers had stolen information from its computer systems in Watford which process and store payment card transactions for TK Maxx.
TJX also believed data had been stolen from the part of its computer systems in Massachusetts that processes and stores information related to payment card, cheque and unreceipted merchandise-return transactions for US and Puerto Rico customers at a number of its stores. Analysts have estimated the breach will cost the company approximately $1bn, excluding any litigation costs.
Many security experts have criticised the strength of WEP encryption. WEP was initially cracked in 2001 and, most recently, it was broken by German researchers last month who beat the encryption using an ordinary laptop in under three seconds.
TJX had not responded to a request for comment at the time of writing.
Tom Espiner writes for ZDNet UK
Fully accountable for maintaining records of engineering effort/time in accordance with specified standard practice. By sending us your CV, you are ...
Due to impressive levels of growth and expansion at one of their main sites, a leading high street fashion retailer are looking for a reports analyst ...
Ideally you will have come from a credit card/ banking background. Business Analyst. You will have recent experience of working within Bank that ...
Agenda Setters 2009
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.
Stories from the web...
Copyright © 2008 CBS Interactive Limited. All rights reserved. Top of page
Digg
Slashdot
Del.icio.us
Stumble
Reddit
RSS Feeds
Tim Ferguson Exclusive: Former MySQL boss Marten Mickos talks open source Why Microsoft could become one of the "biggest friends of open source" and why Oracle getting its hands on MySQL could be "one of the biggest open source coups ever"...
Naked CIO Naked CIO: Cloud computing more expensive than we thought? Smart IT leaders will examine the impact of how they pay for tech