2. Hackers taking it to the TK Maxx

Posted on 17 Jun 2008 at 10:40

Gaffe rating: 878

Until last year, the most disturbing things you'd find in TK Maxx were a pair of novelty "kiss me quick" boxer shorts and a Saturday lad with an acne problem. But hackers found something more alarming on probing the company's servers.

The world's biggest theft of credit card data started in July 2005, and continued for an amazing 18 months. TJX, the US-based parent company of TK Maxx, had its systems breached by a hacker - and when the breach was finally discovered in December 2006, 45.7 million credit and debit card details had been stolen. Investigators believe the breach started with the hackers using a telescope antenna and a laptop to intercept data on a wireless network at one store, and listening in to employees connecting to the TJX central servers. Armed with login details, the gang could set up accounts, install data-harvesting software - do pretty much anything.

Reports published by The Wall Street Journal said a failure to use firewalls and install software patches didn't help either, nor did disregarding the Payment Card Industry Data Security Standard framework on storing financial transaction data for longer than is strictly necessary. You might expect data to be stored until a transaction has cleared, but not dating back years. But then you might also expect wireless networks handling transactional data to be secured with something more robust than the basic WEP protocol when the stronger WPA option has been available for so long.

The moral of this story? Always have levels of security appropriate to the value of the data you're meant to be protecting. Unlike TK Maxx, which was using the electronic equivalent of Ronnie Corbett as a bouncer.

Next: 1. Disappearing disc act

The 10 worst security gaffes

Author: Davey Winder