[ISN] TJX e-mails tell the tale

From: InfoSec News (alerts@private)
Date: Wed Nov 28 2007 - 23:25:01 PST


By Donna Goodison
November 28, 2007 

Executives at TJX Cos., which in January revealed a massive security 
breach that put millions of its customers personal information at risk, 
knew two years ago that the companys wireless payment network was 
vulnerable to attack, according to court documents.

In 2005, TJX officials also discussed the need to update the companys 
wireless network security to a more secure WiFi protected access (WPA) 
system and whether it could be deferred to save money, according to 
e-mail exchanges between TJX employees. The e-mails were included in 
court documents filed in a lawsuit brought by a group of banks against 

The security breach, the nations largest, began in mid-2005 and was 
discovered by TJX in late 2006. TJX has since been accused of failing to 
safeguard customers information and faces a myriad of lawsuits. Canadian 
officials who conducted their own investigation said criminals hacked 
into TJXs wireless networks while outside two Marshalls stores in Miami.

The e-mails reveal TJX executives concerns about the network.

WPA is clearly best practice . . . Paul Butka, TJXs chief information 
officer, wrote in a Nov. 23 e-mail to other TJX employees. I think we 
have an opportunity to defer some spending from FY 07s budget by 
removing the money from the WPA upgrade, but I would want us all to 
agree that the risks are small or negligible.

In response, TJX employee Lou Julian sent an e-mail saying, Saving money 
and being PCI compliant is important to us, but equally important is 
protecting ourselves against intruders.

Julian wrote that the company was vulnerable with the wired-equivalent 
privacy encryption (WEP) standard it had in place. It must be a risk we 
are willing to take for the sake of saving money and hoping we do not 
get compromised, he wrote.

TJX vice chairman Donald Campbell in a statement said that TJXs computer 
security prior to the breach was similar to that of other large 

"These TJX internal e-mails are just a very small portion of the 
extensive, ongoing dialogue on the topic of WPA wireless network 
security and timing of spending which occurred at TJX," Campbell said.

TJX decided to move to WPA in advance of being required to do so by the 
payment card industry. Spending on WPA conversion was not deferred by 
TJX; in fact, it was accelerated and TJX completed conversion to WPA in 
advance of its conversion timetable and ahead of many major retailers.

Visit InfoSec News

This archive was generated by hypermail 2.1.3 : Wed Nov 28 2007 - 23:30:06 PST