WLAN Security Blamed for TJX Payment Card Breach

By Lisa Phifer

October 05, 2007

Retailer faulted for failing to upgrade to WPA and monitor WLAN.

A new report issued by the Office of the Privacy Commissioner of Canada last week cited Winners Merchant International and its parent company, TJX, for failure to satisfy personal information protection standards during a break-in that compromised 45 million payment cards.

Although other factors contributed to the breach, investigators placed much of the blame squarely on WLAN security. “TJX relied on a weak encryption protocol [WEP] and failed to convert to a stronger encryption standard [WPA] within a reasonable period of time,” concludes the report. “The risk of breach was foreseeable … therefore, TJX did not meet the safeguard provisions of either PIPEDA or PIPA.”

Tracking the breach

According to the report, TJX discovered suspicious software on its computer systems in late 2006. TJX suspects that the intrusion started with a WLAN break-in outside two Marshall’s stores in Miami, Florida, during July 2005.  At that time, the affected APs were secured with WEP.  Although not conclusively proven, it is believed that key crackers were used to penetrate those WLANs, gaining access to store networks.

From there, intruders worked their way through the TJX network into back-end systems – notably Retail Transaction Switch (RTS) servers that process and store customer information related to payment card and merchandise return transactions. Intruders gained access to personal information stored on those systems, including customer names, addresses, telephone numbers, driver’s license numbers, ID numbers, credit card numbers, and expiration dates. The breaches occurred primarily during the second half of 2005 (2H05) and the second half of 2006 (2H06), ending on December 18, 2006.

Nailing the culprits

Last week’s report reflects conclusions reached by the Canadian investigation, launched to determine whether TJX violated the Personal Information Protection and Electronic Documents Act (PIPEDA) and/or the Personal Information Protection Act (PIPA). “Every organization in Canada is subject to the safeguarding principles established in PIPEDA,” said the report. “It is critical that organizations not only consider multiple layers of security, but also keep abreast of technological advances to ensure that their security safeguards have not become outdated and easily defeated.”

At the end of its eight-month probe, investigators concluded that TJX’s practice of recording driver’s license and ID numbers was excessive and contrary to PIPEDA/PIPA. “As the intrusions took place over an extended period of time, the hackers were able to take full advantage of downloading information that should not have been retained,” said the report. To avoid this in the future, TJX has agreed to stop collecting driver’s license and other ID numbers, substituting a cryptographic hash as a unique customer identifier.

Investigators also considered whether TJX made reasonable security arrangements to protect the personal information in its custody. “Principle 4.7.1 of PIPEDA stipulates that the security safeguards shall protect personal information against loss or threat, as well as unauthorized access, disclosure, copying, use, or modification,” said the report. 

According to the report, physical and operational measures were in place at the time of the breach, but technical measures were faulty. “WEP cannot be relied on as a secure system since the encryption is easily bypassed, and it is not adequate for protecting a network,” said the report.

Strengthening the WLAN

Investigators acknowledged that TJX had launched a WPA upgrade plan back in October 2005. But it did not consider that plan to be timely or sufficient, given the risks involved.

“At the time [of the breach], few retailers had converted to WPA. Yet, we note that there were organizations that had converted to WPA due to risk analyses,” said the report. “Whether or not other retailers made the move to [use] better encryption methods, the fact of the matter is that TJX was the organization subject to the breach.”

The report also noted that WPA upgrades require advance planning and budget.  However, “the cost of upgrading to secure equipment must be measured in relation to the cost of a potential intrusion. Since a compromised WLAN can allow an intruder into the corporate network, the potential for significant damage is quite high. Replacing wireless products to secure the wireless network is a cost-effective way to close a vulnerable gap.”

Investigators also faulted TJX for failing to segregate cardholder data during its WPA conversion, and for failing to “vigorously monitor” WLAN security threats.  “If adequate monitoring was in place, then TJX should have been aware of intrusion prior to December 2006,” said the report.

To address these weaknesses, all TJX stores have now been upgraded to WPA.  TJX has also strengthened the monitoring of systems that were compromised by the intruder. "While we respectfully disagree with many of the commissioners' factual findings and legal conclusions, we have chosen to implement their recommendations, having already implemented most of them, with the remainder in process," said TJX spokesperson Sherry Lang.

Lessons learned

Companies subject to privacy laws and industry regulations have much to learn from TJX’s very costly mistake, estimated at $256 million in TJX’s 2Q07 earning report.

Today, four years after WPA products became commercially available, many companies are still using WEP. Some use relatively weak “compensating measures” like period WEP key rotation and MAC address filtering to satisfy industry standards like PCI DSS.

The conclusions reached by this Canadian probe demonstrate that, when it comes to security, ignorance is definitely not bliss. While upgrades can certainly take time and money to complete, investigators also expected to see layered security measures like asset management, network segregation, and active monitoring – in other words, indications that the company truly recognized the threat and had taken reasonable steps to mitigate that risk in a timely fashion.

"The company collected too much personal information, kept it too long, and relied on weak encryption technology to protect it — putting the privacy of millions of its customers at risk," said Canadian Privacy Commissioner Jennifer Stoddart.



Comment and Contribute
(Maximum characters: 1200). You have
characters left.