TJX Revises Consumer Settlement, Agrees To Pay Cash

The Wall Street Journal is reporting that the TJX break-in started in July 2005 with a wireless hack of a Marshalls in St. Paul, Minn, where the thieves "pointed a telescope-shaped antenna toward the store and used a laptop computer to decode data streaming through the air between hand-held price-checking devices, cash registers [POS presumably]and the store's computers. That helped them hack into the central database of Marshalls' parent, TJX Cos. in Framingham, Mass., to repeatedly purloin information about customers."

The news that the attack was wireless is not unexpected, as wireless attacks have become very popular means of attacking retail chains and because hints that the TJX attacks were wirelessly based have been frequent. But the level of specifics in the Journal story are surprising.

The story also said that an auditor found that TJX "failed to install firewalls and data encryption on many of its computers using the wireless network, and didn't properly install another layer of security software it had bought."

That software could very well have been encryption software from Ingrian Networks. We have reported that Ingrian had sold software to TJX, which hadn't installed it at the time the data breach was discovered.

One PCI auditor who has been involved in the TJX probe couldn't confirm all of the details in the Journal but said that a wireless hack is not surprising, as it's the most common attack method with retail chains today.

"By focusing on those little handheld (pricecheck) guns and their interactions with the database controller, you can capture IP addresses. That's your gateway," the auditor told StorefrontBacktalk. [Note to readers: We typically resist referring to ourselves in text, but it's necessary here to differentiate what our sources told us from what the Journal is quoting sources as telling them.] Even if a store IT manager is watching the traffic, the source said, it often won't even look suspicious. "They won't see any difference between you and one of their handheld devices."

The Journal also reported that the attackers performed "most of their break-ins during peak sales periods to capture lots of data" and then "used that data to crack the encryption code" and then they "digitally eavesdropped on employees logging into TJX's central database in Framingham and stole one or more user names and passwords. With that information, they set up their own accounts in the TJX system and collected transaction data including credit-card numbers into about 100 large files for their own access. They were able to go into the TJX system remotely from any computer on the Internet," according to sources who spoke with the Journal. "They were so confident of being undetected that they left encrypted messages to each other on the company's network, to tell one another which files had already been copied and avoid duplicating work."

The Journal also referenced a Sept. 29 audit report that it wasn't PCI compliance. " The auditor's report cited the outmoded WEP encryption and missing software patches and firewalls. Then on Dec. 18, another auditor found anomalies in the company's card data. At that point, TJX hired forensics experts from International Business Machines Corp. and General Dynamics Corp. and notified the U.S. Secret Service, which spent a month trying to catch the hackers in the act. But the data thefts stopped and the hackers had obscured their whereabouts by using the Internet addresses of private individuals and public places such as coffee houses. Investigators did find traces of the hackers: altered computer files, suspicious software and some mixed-up data such as time stamps in the wrong order."