The on-going investigation into how hackers were able to access and extract sensitive customer financial data from clothing retailer TK Maxx has taken another twist after a Wall Street Journal report claimed the theft took place via a poorly secured Wi-Fi network.
Thieves stole 45 million UK and US customer records from TK Maxx in December last year.
The WSJ report claims that investigators now believe the biggest known theft of credit-card numbers in history began two years ago outside a Marshall's clothing store in Minnesota. The hackers pointed a telescope-shaped antenna toward the store and used a laptop computer to decode data streaming through the air between handheld price-checking devices, cash registers and the store's computers.
The data they acquired enabled them to gain access to the central database of Marshall's parent company, TJX, which also owns TK Maxx.
It seems that the compromised wireless network was protected using WEP (Wired Equivalent Privacy) encryption, one of the weakest forms of Wi-Fi security that can be cracked in as little as three seconds. WEP was succeeded by WPA (Wi-Fi Protected Access) in 2003, a much more secure system that combines encryption with strong access controls and user authentication.
Once they had access to the system the hackers were able to track unencrypted data sent to banks, WSJ claims, and even left encrypted messages on the TJX servers so that each member of the group knew which files the others had copied.
TJX has yet to respond to the allegations.
