Hackers who stole 45 million customer records from the parent company of TK Maxx did so by breaking into the retail company's wireless LAN , it emerged on Monday.
TK Maxx's parent company, TJX, had secured its wireless network using Wired Equivalent Privacy (WEP) — one of the weakest forms of security for wireless LANs. Hackers broke in and stole the records — which included millions of credit card numbers — in the second half of 2005 and throughout 2006.
According to The Wall Street Journal, hackers cracked the WEP encryption protocol used to transmit data between price-checking devices, cash registers and computers at a store in Minnesota. The intruders then collected information submitted by employees logging on to the company's central database in Massachusetts, stealing usernames and passwords.
With that information, the hackers set up their own accounts on TJX's system. Over the 18-month period, their software collected transaction data, including credit-card numbers, into approximately 100 large files. Transaction data sent to banks, which was unencrypted by TJX, is also believed to have been intercepted by the hackers. According to The Wall Street Journal, the attackers even left encrypted messages on the TJX network to tell each other which files had been copied.
A Securities and Exchange Commission (SEC) filing in March revealed that TJX believed the attackers had stolen information from its computer systems in Watford that process and store payment card transactions for TK Maxx.
TJX also believed data had been stolen from the part of its computer systems in Massachusetts that processes and stores information related to payment card, cheque and unreceipted merchandise-return transactions for US and Puerto Rico customers at a number of its stores. Analysts have estimated the breach will cost the company approximately $1bn (£500m), excluding any litigation costs.
Many security experts have criticised the strength of WEP encryption. WEP was initially cracked in 2001, and most recently broken by German researchers last month, who beat the encryption using an ordinary laptop in under three seconds.
TJX had not responded to a request for comment at the time of writing.
Talkback
will happen over and over again until immediate realistic liability by law is introduced and enforced throughout the entire chain involved.
Bad security is mostly never a single entity fault. Usually a whole chain is involved with plenty of room for pointing blaming fingers. There's also the market attitude, whole generations out there that don't have the first clue about what's involved with security. Poorly educated in that area but worked their way up to decision making of advising level nonetheless. No-one will force the solution that's secure but customers and end-users won't swallow or can't get wrap their poorly security wise minds around. User friendliness and "functionality" is still chosen above security. Also because most of the stuff in use out there is insecure. For instance, WEP is still a de facto standard out there. And USB. Why?
With hindsight plenty of people demand security. Are even willing to give up privacy and other rights. But ask them to give up WEP, USB, Windows and such and they refuse. You can't have it both ways. You can't smoke and be guaranteed to not get long cancer. You can't drink and be guaranteed to not get liver problems. You can't eat fat and sugar all the time and be guaranteed to not die early. You can't use IT stuff that you can buy in any store and be guaranteed IT security. In short, you get you what you pay for. Shape up or shut up. Either put in the effort beforehand or deal with the consequences afterwards. It's as simple as that.
Reality of life is that if you ask a question to any vendor, advisor, expert, decision maker, etc, you're likely to get an answer that will differ from the answer you would get if a huge contractual penalty clause is involved. Problem is that most are not in the position to introduce such clauses in realistic ways.
The real issue is that IT holds a very unique liability position in today's world. They can practically say or do anything and get away with it, or slightly damaged (but still way below their profit margins). For the record, Microsoft is not alone in this. Somehow I can't blame them for milking that all the way business wise but I blame them for not taking their social responsibility. Again, you get what you pay for. And if you pay for what you're told then, boy, you will be milked. Big time.
To sum it up: "they should have" is a much too simple conclusion. That's symptom fighting with hindsight. The trick is to solve causes beforehand. No-one will put in the effort to reach real security market wide until fingers get tapped real hard and people get educated.
Thing is that real security is not on the corporate and political agenda. And even if it is, it's only about fighting symptoms, PR, power, control, votes and such.