Hackers who stole 45 million customer records from the parent company of TK Maxx did so by breaking into the retail company's wireless LAN , it emerged on Monday.
TK Maxx's parent company, TJX, had secured its wireless network using Wired Equivalent Privacy (WEP) — one of the weakest forms of security for wireless LANs. Hackers broke in and stole the records — which included millions of credit card numbers — in the second half of 2005 and throughout 2006.
According to The Wall Street Journal, hackers cracked the WEP encryption protocol used to transmit data between price-checking devices, cash registers and computers at a store in Minnesota. The intruders then collected information submitted by employees logging on to the company's central database in Massachusetts, stealing usernames and passwords.
With that information, the hackers set up their own accounts on TJX's system. Over the 18-month period, their software collected transaction data, including credit-card numbers, into approximately 100 large files. Transaction data sent to banks, which was unencrypted by TJX, is also believed to have been intercepted by the hackers. According to The Wall Street Journal, the attackers even left encrypted messages on the TJX network to tell each other which files had been copied.
A Securities and Exchange Commission (SEC) filing in March revealed that TJX believed the attackers had stolen information from its computer systems in Watford that process and store payment card transactions for TK Maxx.
TJX also believed data had been stolen from the part of its computer systems in Massachusetts that processes and stores information related to payment card, cheque and unreceipted merchandise-return transactions for US and Puerto Rico customers at a number of its stores. Analysts have estimated the breach will cost the company approximately $1bn (£500m), excluding any litigation costs.
Many security experts have criticised the strength of WEP encryption. WEP was initially cracked in 2001, and most recently broken by German researchers last month, who beat the encryption using an ordinary laptop in under three seconds.
TJX had not responded to a request for comment at the time of writing.