Slashdot Mirror

← Back to Stories (view on slashdot.org)

TJX Security Breach Described

Posted by kdawson on from the details-emerging dept.

Bunderfeld notes more details coming out about how bad guys got into the TJX network. Last time we discussed this, the best information indicated that a WEP crack had started the ball rolling. Now we learn that instead, or in addition: "Poorly secured in-store computer kiosks are at least partly to blame for acting as gateways to the company's IT systems, InformationWeek has learned. According to a source familiar with the investigation who requested anonymity, the kiosks, located in many of TJX's retail stores, let people apply for jobs electronically but also allowed direct access to the company's network, as they weren't protected by firewalls. 'The people who started the breach opened up the back of those terminals and used USB drives to load software onto those terminals,' says the source. In a March filing with the Securities and Exchange Commission, TJX acknowledged finding 'suspicious software' on its computer systems."

2 of 104 comments (clear)

  1. storing secrets; security through obscurity by Schraegstrichpunkt · · Score: 4, Insightful

    However, Visa indicated in February, through a number of documents sent to financial institutions that issue cards and manage Visa transactions, that TJX was storing card number, expiration date, and card verification value codes, all of which are prohibited by PCI. As for its efforts at encryption, "We believe the intruder had access to the decryption algorithm for the encryption software we utilize," TJX said in its annual report.

    I love it how people talk about how they're using "encryption" when possessing the algorithm is enough to break it.

    Idiots.

    --
    http://outcampaign.org/
  2. I'm SURE the customers will be taken care of by IronChef · · Score: 4, Insightful

    Who here has gotten a free year with a credit watchdog service due to your information having been leaked by some company you dealt with? (The letter I got actually said that my information was put at risk due to some kind of sloppy law enforcement access. WTF?)

    I normally hate calling for more laws but there should be more severe penalties for this kind of error. Otherwise... it will keep happening.