What TJX, Lowe's Have In Common


TJX learned nothing from Lowe's. Two years apart, both retailers were the victims of war drivers.

The Wall Street Journal has a good story on how TJX, which admits exposing over 45 million credit and debit card numbers in the biggest data heist to date, left its network open to hackers.

In July 2005, according to the Journal, hackers used a radio antenna to intercept wireless data flowing between handheld price checking devices, cash registers and routers inside a Marshalls store in St. Paul, Minn. (TJX is the parent company of Marshalls). By decoding the encryption on that data, they could listen as employees logged on to TJX's central database in Massachusetts. Then they stole employees' user names and passwords to set up their own accounts to collect transactions from inside TJX. The theft wasn't discovered until last December.

TJX alludes to some of these details in an SEC filing on March 28, where it also admitted transmitting credit card data to banks without encryption.

The techniques used against TJX are similar to those used by hackers against Lowe's home improvement stores in 2003. Remember that case? Two 20-year-old men sat in the parking lot of a Lowe's store in Michigan and used a laptop to log on to an open wireless access point, which gave them access to the store's network, according to Fortune magazine. Once inside, according to Security Focus, a news site owned by Symantec, they modified Lowe's credit card processing software in hopes of intercepting credit card numbers.

Fortunately for Lowe's, their IT people detected the intrusions and called the FBI. Fortune says an agent walking through the parking lot on her way to the bathroom "noticed an eerie glow coming from the front seat of a Pontiac Grand Prix" and ran the license plate. The hackers were caught, before any data was compromised.

The TJX hackers are a lot more sophisticated than Lowe's were. Investigators told the Journal that TJX's intruders had "the hallmarks of gangs made of Romanian hackers and members of Russian organized crime groups" who are methodical in seeking out and penetrating the least secure targets and are suspected in two other U.S. cases. The stolen data has already been used to conduct thefts in several countries.

Unlike Lowe's, however, TJX was unaware of the hackers. In addition, according to the Journal, TJX was warned by auditors last September that they were missing software patches and firewalls and were using outmoded WEP (Wired Equivalent Privacy) encryption, a violation of PCI (Payment Card Industry) security standards from Visa. (Here's a good story from CSO on why the PCI standards aren't working).

"The $17.4-billion retailer's wireless network had less security than many people have on their home networks," the Journal notes.

TJX is now the subject of numerous lawsuits and investigations and may have exposed as many as 200 million credit card numbers, according to the Journal. TJX rejected that number, but said in its SEC filing that it may never know everything that was taken. The company did not return a call from Baseline.

All businesses that handle personal information on customers should be paying attention.


4 Comments for "What TJX, Lowe's Have In Common"

  • Deborah Gage May 17, 2007 12:40 pm

    Thanks for the pointer to the Best Buy case, Anonymous. I think TJX is taking heat in part because of the size of the theft. Also, it looks to me like the wolf is learning faster than the pigs.

  • Anonymous May 16, 2007 10:21 pm

    And Best Buy had the same issue with their unencrypted wireless connections to cash registers back in 2002: http://www.msnbc.msn.com/id/3078572/ The difference is that, in that case, Best Buy was portrayed as the careless buffoon, and they had to deal with a minor PR disaster as reporters piled on. Consider the story of the three little pigs versus the wolf. Nobody blames the wolf, he's just a force of nature that the pigs have to contend with. Blame for the shoddy houses rests squarely on the lazy pigs. By the time the Lowe's case rolled around, I would've expected the careless pig to take even more heat, having had the very public opportunity to learn from Best Buy's mistake. But instead, the wolves were (rightly) demonized to the (wrongful) exclusion of the pig. What happened? Now here in the TJX case, again the merchant is taking some heat. Why?

  • Keith Carter May 09, 2007 9:24 am

    Companies need to check out some new technology. There is a product available called Signal Defense Film. The product is applied to your existing windows. It is window protection for your electronic assets. It attenuates Wireless LAN Security, Electomagnetic Interference (EMI), leakage from RF and IR signals. This product is being launched to the corporate world. It was previously used on US Government applications.

  • Pushkaraj May 09, 2007 2:43 am

    According to a survey by Infosecurity Europe, 26 percent of companies do not enforce wireless security.I think its high time we shoul opt for good wireless security solution which will find Rogues Quickly with Precise Location Tracking and will Protect Your Confidential Business Information.

Leave a Comment