What TJX, Lowe's Have In Common


TJX learned nothing from Lowe's. Two years apart, both retailers were the victims of war drivers.

The Wall Street Journal has a good story on how TJX, which admits exposing over 45 million credit and debit card numbers in the biggest data heist to date, left its network open to hackers.

In July 2005, according to the Journal, hackers used a radio antenna to intercept wireless data flowing between handheld price checking devices, cash registers and routers inside a Marshalls store in St. Paul, Minn. (TJX is the parent company of Marshalls). By decoding the encryption on that data, they could listen as employees logged on to TJX's central database in Massachusetts. Then they stole employees' user names and passwords to set up their own accounts to collect transactions from inside TJX. The theft wasn't discovered until last December.

TJX alludes to some of these details in an SEC filing on March 28, where it also admitted transmitting credit card data to banks without encryption.

The techniques used against TJX are similar to those used by hackers against Lowe's home improvement stores in 2003. Remember that case? Two 20-year-old men sat in the parking lot of a Lowe's store in Michigan and used a laptop to log on to an open wireless access point, which gave them access to the store's network, according to Fortune magazine. Once inside, according to Security Focus, a news site owned by Symantec, they modified Lowe's credit card processing software in hopes of intercepting credit card numbers.

Fortunately for Lowe's, their IT people detected the intrusions and called the FBI. Fortune says an agent walking through the parking lot on her way to the bathroom "noticed an eerie glow coming from the front seat of a Pontiac Grand Prix" and ran the license plate. The hackers were caught, before any data was compromised.

The TJX hackers are a lot more sophisticated than Lowe's were. Investigators told the Journal that TJX's intruders had "the hallmarks of gangs made of Romanian hackers and members of Russian organized crime groups" who are methodical in seeking out and penetrating the least secure targets and are suspected in two other U.S. cases. The stolen data has already been used to conduct thefts in several countries.

Unlike Lowe's, however, TJX was unaware of the hackers. In addition, according to the Journal, TJX was warned by auditors last September that they were missing software patches and firewalls and were using outmoded WEP (Wired Equivalent Privacy) encryption, a violation of PCI (Payment Card Industry) security standards from Visa. (Here's a good story from CSO on why the PCI standards aren't working).

"The $17.4-billion retailer's wireless network had less security than many people have on their home networks," the Journal notes.

TJX is now the subject of numerous lawsuits and investigations and may have exposed as many as 200 million credit card numbers, according to the Journal. TJX rejected that number, but said in its SEC filing that it may never know everything that was taken. The company did not return a call from Baseline.

All businesses that handle personal information on customers should be paying attention.