Wednesday, September 26, 2007

Kiosk not found to be cause of TJX security breach

A few weeks ago we speculated (with the help of some other speculation) that the security breach at TJX (the company that owns TJ Maxx, Marshalls and others) could have been caused by hackers who used unattended employment application kiosks to gain access to the firm's corporate network. Both Information Week and StorefrontBacktalk suggested that the kiosks were a reasonable vector into the net, especially since many suggested that it was not firewalled away from other connected devices.

However, this story in the WSJ today suggests that was not the case at all. Instead, the privacy commissioners of Canada and the province of Alberta (who jointly conducted a probe), found that:
"TJX was using a weak encryption protocol to protect its consumer data in July 2005, when hackers first broke into its computer system. The protocol, known as Wired Equivalent Privacy, or WEP, isn't recommended by securities experts even for wireless home networks because it is so vulnerable to hackers.

"TJX decided to upgrade to a more secure Wi-Fi Protected Access encryption protocol at the end of September 2005, Canadian officials said. By then, however, hackers had been able to access the company's internal transaction database. They did so initially from outside two stores in Miami, the probe found."
While this isn't the only investigation going on inside the company, and it's possible that others will find additional ways past the firm's security systems, at least for now it looks like kiosks were not directly at fault for causing the breach and subsequent theft of up to 45.7 million credit card numbers.

Tags: , ,

No comments: