Popuar Topics



Main menu:


Weblogs of Interest

Details of TJX Hacking Fiasco Come To Light

Law enforcement has managed to round up 11 criminals who were behind the massive computer hacking scheme that resulted in the theft of millions of credit and debit card numbers as well as other personal information from retail giant TJX.

Back when I first learned about the scheme, I posted that TJX needed a good slap in the face. At this point I’d like to amend that statement by saying they should get a good kick in the… Well, use or imagination.

Ever since I heard about it, I have wondered how the crooks managed to pull it off. Having worked in the computer industry for many years, these kinds of things interest me, and now that arrests have been made, I managed to dig up the details that had previously eluded me.

Here’s how this whole thing went down: The hackers made use of a techniqueShopping called "war driving," something that has been going on for years. In involves driving around with a laptop computer that is configured to detect wireless networks. In this case, the hackers were said to have used a directional antenna which can greatly increase the range from which you can access a wireless network.

Believe it or not, there are plans on the internet that involve the construction of a rudimentary directional antenna for war driving purposes using a Pringles can!

In this particular case, the hackers parked outside a Marshall’s store near St. Paul, Minnesota sometime during July of 2005, and commenced their efforts to penetrate the stores wireless network. With wireless hand-held price checkers in use in the store, and probably other wireless devices as well, there was plenty of data in the air for the hackers to capture on their laptop. This kind of activity could also be referred to as "sniffing" since the hackers are simply gathering the data that is being transmitted between various store devices via the wireless network.

Some of this data that the hackers captures contained usernames and passwords for TJX’s main computer systems in Framingham, Mass. Those were the gems that the hackers were looking for. They had hit the jackpot.

You may be wondering why it was so easy for the hackers to penetrate the store’s wireless network and begin sniffing all the traffic. It was so easy because the store was using an outdated version of the encryption scheme that was used to protect the data. They were using an encryption scheme known as WEP or Wired Equivalent Privacy, which had been "cracked" as early as 2001, meaning that weaknesses in the encryption scheme were discovered, and resulted in the creation of readily available programs that allowed hackers to compromise a WEP-encrypted wireless network in minutes. For the hackers, it was likely equivalent to child’s play.

TJX, a $17 billion dollar retail empire, failed to upgrade their wireless network to a new scheme called WPA, which corrected the problems with the WEP scheme. An auditor later discovered that TJX had also failed to install network firewalls and data encryption protection on many of its computers connected to the wireless network, and didn’t properly install another layer of security software it had obtained. Maybe they just bought the extra software because it came in a pretty box!

When queried about these failures the company declined to comment on its security measures. Perhaps the $17 billion dollar company could not afford to hire qualified personnel to implement the protective measures. As they used to say on Saturday Night Live, "Yeah, that’s the ticket."

Once the hackers has access to the companies main computer systems in Framingham, they boldly created their own user accounts to access the systems, and even went as far as using the company’s network to exchange encrypted messages with one another to avoid duplicating their efforts and copy files that has already been copied.

The hackers collected TJX retail customer information from the TJX systems and copied it to other systems they had access to in the U.S. and Eastern Europe. They sold some of the data to other criminal elements, and used some it themselves.

Some of the data even included Social Security numbers, drivers licence numbers and military ID numbers, exposing over 450,000 customers to the threat of identity theft. Naturally, the company apologized for the incident and has improved their security, but I guess that’s a bit like closing the barn door after the horse has escaped. Once that data is out there, it’s out there and who knows how many criminals have access to it.

The whole nasty scheme started coming to light during the aftermath of Hurricane Katrina when some customers of Fidelity Homestead, a Louisiana savings bank, began to notice strange transactions on their credit card statements. Hey, just what you need after enduring the worst hurricane in recent history! Some low-life using your credit card info to go on a spending spree.

Meanwhile, the hackers were still having their way with the TJX systems and managed to go unnoticed by the geniuses in the TJX IT department for 18 months. That’s got to be some strict set of security guidelines they had in place in their data center, wouldn’t you say? But, hell, who needs to protect things like customer Social Security numbers and other personal information as well as debit and credit card numbers? Just let the usernames and passwords for those systems fly around the airwaves inside stores on a wireless network that was well known for it’s easy accessibility. Brilliant!

Apparently, various criminals around the world had a field day with the data and used it to make purchases and do whatever else they could with it to profit. Criminals are often able to obtain equipment that can be used to create credit cards that are copies of the originals once they have collected the required info they need to print on the cards and encode onto the card’s magnetic strip.

It was during the fall of 2006 when a group of morons on Florida decided to go on a spending spree that set about the events that started to put pieces of the puzzle together. A Wal-Mart clerk became suspicious of people buying large quantities of gift cards and alerted police.

With the help of store surveillance tapes, the police managed to track down and arrest the idiots, who were said to have "covered a lot of territory in a relatively short period of time," according to a special agent with the Florida Department of Law Enforcement. That’s what happens when stupid criminals allow themselves to get too greedy.

As the crooks in Florida were enjoying an early Christmas at someone else’s expense, an auditor at TJX warned the company regarding its poor security, and that the company wasn’t complying with many of the requirements imposed by Visa and MasterCard, according to someone who was familiar with the auditor’s report. The report noted the outdated WEP wireless encryption, as well as missing software patches and network firewall protection.

It took until December of 2006 before TJX finally began to realize what had been going on right under their noses for months. They hired computer forensics experts and notified the Secret Service. I can’t help but think that TJX could have spared itself a lot of grief, and more importantly, risk to their customer’s financial well being if they had hired some in-house experts to keep an eye on things, or at least some system administrators who were better trained in matters related to security.

As someone who worked as a system administrator for many years myself, it’s hard to imagine how newly-created, unauthorized access accounts were created on a system without being noticed for 18 months!

There were attempts to catch the hackers in the act but they managed to elude their pursuers by using publicly-available internet connections like those found in coffee houses and using internet addresses belonging to private individuals who had no idea what was going on.

The good news is that this whole fiasco could end up costing TJX $1 billion or more. A punishment that is richly-deserved in this consumer’s opinion.

Personally, I never plan to step foot in a TJX-owned retail establishment again. What can you find in any of their stores that you cannot find online anyway? I just love shopping online since I don’t care much for driving anyway, and I don’t care much for crowds or waiting in check-out lines.

The other good news is that the main figures responsible for this crime have been indicted by federal prosecutors and will probably face a nice hefty stretch of time in a federal prison if convicted. I am a bit concerned that the 11 crooks are spread among five different counties, so I suppose one can expect delays and complications as a result of extradition treaties and other bureaucratic red tape.

I hope this entire episode serves as a warning to big companies that deal with personal data belonging to customers, as well as the hackers who think they are clever enough to out-smart the authorities. What criminals like this don’t seem to realize is that no matter how clever they are (and I will admit they were likely pretty smart when it comes to hacking systems), there are people just as clever on the other side of the law who will be looking for them.


Comment from Benjamin Wright
Posted: August 17, 2008 at 5:39 pm

Careful reading of the indictments of the TJX data thieves show that the media, card issuers and Federal Trade Commission over-reacted to the TJX incident. The TJX break-in was not as bad as we were led to believe. –Ben

Comment from Admin
Posted: August 17, 2008 at 7:53 pm

Thanks for stopping by with your comments, Ben,

I did indeed check out the URL you posted and ended up over at Michael Janke’s blog where you guys had a good exchange.

I have to come down on Michael’s side on this one.

Aside from all the legal issues, which I certainly do not feel qualified to talk about with any authority, what personally irked me so much was that they were keeping credit card information stored in their systems for so long.

What would be the purpose of that? After a certain and reasonable amount of time, that type of information should be deleted instead of being left in a database somewhere waiting for some hacker to come scoop it up.

Certainly, it may need to be retained for a while in the event of a fraud investigation, and having been on the merchant side of a few “charge backs” myself, I know that they normally take two or perhaps three months before credit card fraud is discovered.

In my view, they had no reason to be retaining that kind of data for that long. Ass I believe I mentioned, my wife shopped at a TJX store during the time that the hackers were accessing TJX systems. Fortunately, we did not encounter any problems as a result but were issued new credit and debit cards by our credit union as a precaution.

Comment from Mollie Renegar
Posted: March 18, 2010 at 2:32 am

Uncovered your internet site on last week and truly loved this.. I saved it and definately will return to look it over more afterwards .. burglar alarm system

Comment from admin
Posted: March 18, 2010 at 8:31 am

And I truly loved deleting the link to your lame site.

By the way, the link within the body if the comment wasn’t even formatted right. Why don’t you learn how to use your spambot software correctly or just go find yourself a real job. McDonald’s may be hiring if you’re lucky.


Write a comment