TJX breach tied to Wi-Fi exploits

By Bill Brenner, Senior News Writer 07 May 2007 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Investigators told The Wall Street Journal they believe the thieves aimed a telescope-shaped antenna at the store and used a laptop to snatch data transmitted between hand-held price-checking devices, cash registers and the store's computers. The exploit eventually led them into the central database of Framingham-based TJX, where they would repeatedly rob the system of sensitive customer data.

This latest revelation comes two weeks after three New England banking associations and some individual banks announced a lawsuit against TJX. Banks have suffered a heavy financial toll over the breach, having to shell out a significant sum of money to replace compromised cards and cover fraudulent charges traced back to the TJX incident. The Massachusetts Bankers Association, Connecticut Bankers Association, Maine Association of Community Banks and some individual banks argue that TJX failed to protect customer data with adequate security measures, and that the retail giant was less than honest about how it handled data.

TJX has acknowledged that at least 45.7 million credit and debit cards were stolen over an 18-month period by hackers who managed to penetrate its network. The company gave a tally of the damage in a regulatory filing with the Securities and Exchange Commission (SEC) in March, and also acknowledged that another 455,000 customers who returned merchandise without receipts were robbed of their driver's license numbers and other personal information.

Avivah Litan, vice president of research with Stamford, Conn.-based Gartner Inc., has called the TJX breach the largest online burglary ever.

TJX data security breach: The TJX data security breach: 10-K filing shows IAM and compliance mistakes: Analysis of TJX's recent 10-K regulatory filing with the Securities and Exchange Commission exposes the company's lack of basic security and non-compliance with industry standards. TJX says at least 45.7 million card numbers stolen: An analyst says the 45.7 million-plus card numbers stolen in the TJX data breach marks the biggest online heist in history. Banks prepare lawsuit over TJX data breach: TJX will face a lawsuit from three New England banking associations as well as individual banks. The Massachusetts Bankers Association is inviting others to join the suit.

By comparison, 26.5 million veterans and active duty personnel were affected by the theft of a Department of Veterans Affairs (VA) laptop and external hard drive last year. And in 2005, credit card transaction processor CardSystems Solutions Inc. acknowledged that hackers had stolen 263,000 customer credit card numbers and exposed 40 million more to fraud.

TJX acknowledged in January that an attacker exploited a flaw in a portion of its computer network that handles credit card, debit card, check, and merchandise return transactions.

The TJX breach was worse than first thought. The company initially believed that attackers had access to its network between May 2006 and January 2007. However, TJX recently admitted that thieves were inside the network several other times, beginning in July 2005. In last month's SEC filing, the company said the stolen data covers transactions dating back even further, to December 2002. The Federal Trade Commission (FTC) is investigating the breach.

TJX violated some of the basic tenets of the PCI Data Security Standard (PCI DSS), several PCI auditors told SearchSecurity.com recently, and the company will pay a heavy financial price. They said companies should study the TJX security breach for clear lessons on what not to do with customer data.

The Massachusetts Bankers Association has reported that several of its member banks have been affected by fraudulent transactions associated with the TJX data breach. The stolen data has reportedly been used to make purchases in Florida, Georgia and Louisiana as well as Hong Kong and Sweden, for example. In addition, credit card issuers have contacted at least 60 banks about compromised cards.

Law enforcement officials in Florida, meanwhile, claim thieves were using customer data from TJX last November for a gift card scheme -- a month before TJX learned of the breach. Police charged six people with using the credit card numbers to purchase about $1 million in merchandise with gift cards.

TJX also faces litigation from other groups. The Arkansas Carpenters Pension Fund -- which owns 4,500 shares of TJX stock -- filed a suit against the company under a law permitting shareholders to sue for access to corporate documents in certain cases. The pension fund wants the records to see whether TJX's board has been doing its job in overseeing the company's handling of customer data.

In late January, a West Virginia woman filed a class action lawsuit against the company accusing it of negligence for not doing enough to secure customer data and for keeping quiet about the breach for a month.

Tags: Identity Theft and Data Security Breaches,  Database Security Management,  Wireless LAN Design and Setup,  Wireless Network Protocols and Standards,  Handheld and Mobile Device Security Best Practices,  Smartphone and PDA Viruses and Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Theft and Data Security Breaches MA 201 CMR 17 enforcement less likely with prompt reporting, cooperation No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Facebook, McAfee partner to fix social network security issues Hacker pleads guilty to orchestrating Heartland credit card heist MasterCard reverses PCI compliance requirement Verizon report goes deep inside data breach investigations Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders Database Security Management Basic Database Security: Step by Step Database activity monitoring lacks security lift Information security book excerpts and reviews IBM to acquire database security firm Guardium What is the best database patch management process? Is credit card tokenization a better option than encryption? Will a database anonymization implementation succeed? Unpatched vulnerability discovered in Microsoft SQL Server SQL injection continues to trouble firms, lead to breaches Oracle issues quarterly patches, fixes database flaws Database Security Management Research Wireless LAN Design and Setup Wireless network guidelines for PCI DSS compliance Best Wireless Security Products How to prevent wireless DoS attacks Lesson 4 quiz: How to use wireless IPS Wireless intrusion prevention systems: Overlay vs. embedded sensors Rogue AP containment methods How to monitor WLAN performance with WIPS The role of VPN in an enterprise wireless network Wireless AP placement basics Lesson 3 quiz: Who goes there? Wireless LAN Design and Setup Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) CISP-PCI  (SearchFinancialSecurity.com) cookie poisoning  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) extrusion prevention  (SearchSecurity.com) identity theft  (SearchSecurity.com) parameter tampering  (SearchSecurity.com) pretexting  (SearchCIO.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary