The Wall Street Journal has published a story outlining the details on how criminals managed to hack their way into the TJX network and gain access to over 45 million credit card numbers.
It appears that in the summer of 2005, criminals using wireless laptops managed to crack into the wireless network of a Marshalls shop which is part of the overall TJX group. The thieves first cracked the wireless network supporting the point of sale terminals communicating back to the shops network. The criminals then used that information as a beachhead from which they burrowed deeper into the TJX systems.
It appears that TJX were using the long defunct WEP encryption protocol to protect their wireless network. This was in spite of more robust and secure technologies being available and also in spite of an auditor’s report highlighting the weaknesses within the TJX network.
The article makes interesting reading and should prove to be a sober lesson to those companies who still insist on using WEP to protect their wireless networks.
Anyone considering rolling out wireless network in a corporate environment should use more robust security protocols that are readily available. They should also treat the wireless network as hostile and firewall it from their corporate network while also ensuring that wireless users authenticate themselves to the network using VPN technology similar to that deployed for remote users.
No doubt more details regarding this story will come out over time. It will be interesting to see how the wireless security vendors will react to this news story and indeed we still await an assertive response from Visa and Mastercard regarding the apparent lack of compliance by TJX with the PCI Standard.
The other lesson to be learnt is to listen to your auditors, they could save you a lot of embarassment in the future.