http://news.bostonherald.com/business/general/view.bg?articleid=1047504 By Donna Goodison November 28, 2007 Executives at TJX Cos., which in January revealed a massive security breach that put millions of its customers personal information at risk, knew two years ago that the companys wireless payment network was vulnerable to attack, according to court documents. In 2005, TJX officials also discussed the need to update the companys wireless network security to a more secure WiFi protected access (WPA) system and whether it could be deferred to save money, according to e-mail exchanges between TJX employees. The e-mails were included in court documents filed in a lawsuit brought by a group of banks against TJX. The security breach, the nations largest, began in mid-2005 and was discovered by TJX in late 2006. TJX has since been accused of failing to safeguard customers information and faces a myriad of lawsuits. Canadian officials who conducted their own investigation said criminals hacked into TJXs wireless networks while outside two Marshalls stores in Miami. The e-mails reveal TJX executives concerns about the network. WPA is clearly best practice . . . Paul Butka, TJXs chief information officer, wrote in a Nov. 23 e-mail to other TJX employees. I think we have an opportunity to defer some spending from FY 07s budget by removing the money from the WPA upgrade, but I would want us all to agree that the risks are small or negligible. In response, TJX employee Lou Julian sent an e-mail saying, Saving money and being PCI compliant is important to us, but equally important is protecting ourselves against intruders. Julian wrote that the company was vulnerable with the wired-equivalent privacy encryption (WEP) standard it had in place. It must be a risk we are willing to take for the sake of saving money and hoping we do not get compromised, he wrote. TJX vice chairman Donald Campbell in a statement said that TJXs computer security prior to the breach was similar to that of other large retailers. "These TJX internal e-mails are just a very small portion of the extensive, ongoing dialogue on the topic of WPA wireless network security and timing of spending which occurred at TJX," Campbell said. TJX decided to move to WPA in advance of being required to do so by the payment card industry. Spending on WPA conversion was not deferred by TJX; in fact, it was accelerated and TJX completed conversion to WPA in advance of its conversion timetable and ahead of many major retailers. __________________________________________________________________ Visit InfoSec News http://www.infosecnews.org/
This archive was generated by hypermail 2.1.3 : Wed Nov 28 2007 - 23:30:06 PST