We all know (or should) that Wired Equivalent Privacy (WEP) isn't real security: And that's been known since at least 2001, as cracks become more and more efficient at breaking this first line of defense for a Wi-Fi network. Most recently, researchers showed they could crack WEP in as little as one to two minutes, which would overcome even 802.1X plus WEP, in which keys are unique to each user and changed frequently.
Two years ago, The Wall Street Journal reports, crackers monitored the Wi-Fi traffic outside a St. Paul, Minn., Marshalls, a chain of stores owned by TJX, which also owns TJ Maxx and Home Goods. They used this information to crack TJX's main database, while the company was unaware of the intrusion for 18 months. From 45.7m to 200m credit card numbers were obtained. TJX says the latter number is too high, but told the Journal that it can't know for sure. Private information like driver's license numbers, social security numbers, and military IDs for 451,000 customers were also stolen.
TJX has hired 50 investigators to deal with the problem and will pay for fraud monitoring for those whose private information was taken. It's unclear to me whether TJX is liable for the fraud committed using those stolen cards, having to repay Visa and MasterCard member banks.
The Journal says that TJX didn't switch to WPA (Wi-Fi Protected Access) early enough--at least by 2005--and an audit they cite showed a lack of encryption and firewalls. The crackers broke into connections used by handheld devices used for inventory and other purposes, almost certainly equipment made by Symbol, the dominant player in that field. (No knock on Symbol: a safe network is the responsibility of the purchaser, and Symbol supported WPA just like everyone else.)
Remarkably, that's practically all it took: they were able to grab central access passwords through the Wi-Fi network, which means that no real protection for credentials and replay was in place. With access to the central system, they could install their own software without detection, and then they exchanged messages with one another on the system itself! Good gravy.
TJX transmitted credit card numbers to banks without encryption, the Journal says the company noted in an SEC filing, which should be impossible. My guess is that explanation is slightly inaccurate. More likely, they retained and stored credit card numbers without encryption, because banks won't accept insecure transactions for their back-end processing. The article notes, "A bill in Minnesota would bar any company from storing any consumer data after a transaction is authorized and completed."