Report: TJX breach began in Minnesota Marshalls parking lot

Share this article:

The suspects who lifted the personal data of 45.7 million customers from TJX's processing systems hatched their elaborate plan some two years ago at a Marshalls outlet in Minnesota, where they used simple technology to tap into the store's wireless connection, The Wall Street Journal reported today.

According to the story, citing investigators, the intruders, from the parking lot, used a "telescope-shaped antenna" and a laptop to decode data that was moving among the Marshalls store’s scanning devices, cash registers and PCs, which were using wireless LAN connectivity.

What the intruders either learned or physically planted that day helped them later hack into TJX’s main database, where they quietly pilfered data for two years and ended up executing the largest data breach in the nation’s history.

Investigators told the newspaper that the St. Paul, Minn. Marshalls location was running a wireless network protected by the weak Wired Equivalent Privacy (WEP) industry standards, which have since been superseded by the more robust Wi-Fi Protected Access (WPA) guidelines.

TJX operates more than 2,000 discount retailers, including hundreds of Marshalls.

Gartner Vice President and Senior Fellow John Pescatore told SCMagazine.com today that the replacement standards - required under the Payment Card Industry mandates - are much more secure than WEP, which was "riddled with holes," he said.

"The encryption to keep someone from breaking in was done very poorly in this first generation," he said. "It's no better than (no security at all). This is something I would have thought an audit would've caught."

According to the newspaper, the hackers used an antenna, a common tool used to retrieve a wireless signal from a distance, Pescatore said.

He said he has heard of people creating antennae out of Pringles potato chip cans - and several websites offer instructions on how to do so. Then, he said, "all it takes is a laptop with Windows XP and it tells you what access points it can hear. It doesn't take any special equipment."

The hackers may have planted some malware on the network that day to help them later access the central database, or they may have stolen certain data that allowed them to later intrude, Pescatore said.

"The basic issue is if you connect to an access point that puts you on the network, it's just as good as if you broke into their data center and sat down on a PC," Pescatore said. "You're on their network."

The incident highlights the need for business executives to understand the value of information assets, Wain Kellum, president and CEO of Atlanta-based Trusted Network Technologies, told SCMagazine.com today.

He said that in many cases "fairly low-level network engineers" create wireless policies without any understanding of risk or financial impact to the organization if there is a breach.

"Management people are now starting to get aware that they have to participate in the dialogue," Kellum said.

A TJX spokeswoman could not be reached for comment today.

Since the breach, the Federal Trade Commission has launched an investigation, and three New England banking associations filed a lawsuit seeking to recoup costs associated with fraudulent purchases.

However, TJX has reported no negative effect on sales, which rose during the first quarter of this year.

Click here to email reporter Dan Kaplan.

Share this article:

Sign up to our newsletters

More in News

Cyber Command tests gov't collaboration in wake of attacks

The two-week exercise, "Cyber Guard 14-1," was completed this month.

Text message spammer settles charges filed by FTC

Text message spammer settles charges filed by FTC

Rishab Verma and his company agreed to settle charges filed by the FTC that Verma sent millions of spam text messages that deceitfully promised free merchandise.

Rhode Island hospital to pay $150K for past data breach

More than 12,000 patients' personal and health information was compromised in a breach at The Women & Infants Hospital of Rhode Island.