Wireless security blamed for TK Maxx data theft

 

Gallery

By Simon Aughton

Posted on 9 May 2007 at 12:14

The thieves who stole 45 million customer records from TK Maxx last year did so by hacking the clothes retailer's wireless network, according to an unconfirmed report by the Wall Street Journal (WSJ).

WSJ says that investigators now believe the biggest known theft of credit-card numbers in history began two years ago outside a Marshall's clothing store in Minnesota. The hackers pointed a telescope-shaped antenna toward the store and used a laptop computer to decode data streaming through the air between handheld price-checking devices, cash registers and the store's computers.

The data they acquired enabled them to gain access to the central database of Marshall's parent company, TJX, which also owns TK Maxx.

It seems that the compromised wireless network was protected using WEP (Wired Equivalent Privacy) encryption, one of the weakest forms of Wi-Fi security that can be cracked in as little as three seconds. WEP was succeeded by WPA (Wi-Fi Protected Access) in 2003, a much more secure system that combines encryption with strong access controls and user authentication.

Once they had access to the system the hackers were able to track unencrypted data sent to banks, WSJ claims, and even left encrypted messages on the TJX servers so that each member of the group knew which files the others had copied.

TJX has yet to respond to the allegations.