Complain about a product or service

Wireless Hackers Suspected In TJ Maxx Breach

By Martin H. Bosworth
ConsumerAffairs.com

May 7, 2007

TJX • Ring Charged with Hacking Major U.S. Retailers • TJX To Pay Mastercard $24 Million For Data Breach • TJX Settles with FTC Over Data Breach • TJX Settles with Banks over Data Breach • TJX Settles Visa Suit over Data Breach • Attorneys General Oppose TJX Data Breach Settlement • TJX Data Breach Victims Reach 94 Million • TJX Data Breach Settlement Has Strings Attached • Wireless Hackers Suspected In TJ Maxx Breach • TJX Data Breach Called "Biggest Ever" • Data From T.J. Maxx Breach Connected To Florida Fraud • TJX Data Breach Bigger than Earlier Estimates • Massachusetts, Rhode Island Open TJX Probes • TJX Sued for Loss of Consumer Data • Hackers Hit T.J.Maxx, Marshalls • Congress Takes On Data Security --- • TJX Customers: What To Do • Consumer Complaints

Cyber-thieves using a telescoping wireless antenna to intercept payment information may be responsible for the "biggest data breach ever," investigators theorize.

The Wall Street Journal reported that hackers in St. Paul, Minnesota, parked outside a Marshalls' department store and used the antenna to decode data between hand-held payment scanners, enabling them to break into parent company TJX's database and make off with credit and debit card records of nearly 47 million customers.

Drive-by hacking, or "wardriving," was the first major threat to Internet access over wireless connections. Wardrivers drive by or park near Wi-Fi hotspots or open networks and use various means to siphon off data from unsuspecting users.

The TJX network was alleged to have less wireless network security protection than the networks of many home users. The hackers are believed to have had access to the network for as long as two years, going back to at least July 2005.

TJX was also alleged to be using the older Wireless Equivalent Privacy (WEP) protocol for its network, which has been largely discredited for the ease with which it can be broken. Security researchers in Germany recently published a paper documenting how WEP can be broken in as little as 60 seconds.

Most security experts recommend upgrading to the stronger Wi-Fi Protected Access (WPA) protocol, but TJX was apparently slow to adopt the new system.

Although TJX refused to comment on the wardriving allegations, the company previously acknowledged that it failed to meet security procedures mandated by the credit card industry. The company admitted to transferring credit card payment information to banks without any sort of encryption, making it easier for the wardrivers to pick up the information as they surfed the TJX network.

The hackers then most likely sold the purloined customer data in the "underground economy" of black-market chats that specialize in the trading and selling of personal information. Data connected to the TJX breach turned up in a Florida fraud case involving credit cards "cloned" with the stolen personal information.

The fraudsters then used the clone cards to purchase gift cards from Wal-Mart, which they then redeemed for thousands of dollars in high-priced merchandise.

Although the TJX corporation claims its strong first-quarter sales numbers show that its shoppers don't care about the data breach, the company is still fending off numerous lawsuits from state Attorneys General and class-actions from irate customers.

Most recently, a coalition of banks in Massachusetts, Colorado, and Maine filed suit against TJX for forcing them to absorb the costs of canceling and reissuing thousands of credit and debit cards exposed in the breach.

The TJX breach has also spurred numerous bills in Congress to mandate stronger data security standards for both government agencies and private companies, and to ensure affected individuals are notified if a breach occurs.

Many of the bills are flawed, however, as they preempt stronger state data breach laws and enable numerous exemptions for law enforcement agencies to delay consumer notification of breaches, privacy advocates say.

Report Your Experience
If you've had a bad experience -- or a good one -- with a consumer product or service, we'd like to hear about it. All complaints are reviewed by class action attorneys and are considered for publication on our site. Knowledge is power! Help spread the word. File your consumer report now.

Back to the top |