[Dataloss] follow-up: TJX. Un-answered questions.

[security curmudgeon]

---------- Forwarded message ----------
From: InfoSec News <alerts at infosecnews.org>

http://blogs.zdnet.com/threatchaos/?p=474

Posted by Richard Stiennon
September 9th, 2007

Repercussions from the biggest reported data breach incident in history 
are still being felt. Last months arrest of a dealer in stolen credit 
cards in Istanbul is just one example of how information stolen from TJX 
Companies is still being used by criminals. As I prepare for a talk I am 
giving at tomorrows Security Standard event in Chicago I realize that TJX, 
the holding company that owns TJ Maxx, Marshalls, and a bunch of other 
retail operations is being less than transparent about the breach they 
first announced last January 17.

According to TJXs official communications through their press releases and 
an SEC filing they first become aware of the presence of unauthorized 
software on their computer systems on December 18 and they reported it for 
the first time to Federal authorities on December 22nd.

There have been several speculative articles about how the breach occurred 
but never explicit descriptions from TJX. One article in the Wall Street 
Journal claims that the thieves broke in via a poorly setup wireless 
access point in a Marhsalls store tein St. Paul, Minnesota. Another less 
circulated story is that thieves broke into multiple TJ Maxx stores via 
kiosks that were kept in the back of the store for accepting job 
applications. I believe that there were multiple incidents over a period 
of at least four years and that TJX had such bad security procedures that 
it was open season on their data by many hackers.

Question number one that I would love to hear the answer to: Exactly how 
and when did these breaches occur?

[..]