TJX update and "How it was done"

According to this Register post and Walls street Journal, the TJX credit card breech was done by simple wardriving towards one of its outlets in St. Paul, Minnesota. It is amazing how large corporations tries to maximize profit by reducing security. In this particular case, the wireless network was not secured, and allowed wardrivers to intercept the trafic. This kind of setup should not even be used to secure your home-based network - so one may wonder how a large corporation can allow for so poor security. What was done in this case (read the details in the Register post):

• a local manager installs a WIFI, and do not secure it apropriately. Lets hope the installation was against corporate policies…
• A wardriver hacks the poor security and gains access to all network data
• the wardriver collects data like user accounts with passwords, and payment details
• the system is not encrypting payment information – a breech of creditcard payment policies
• the hacker uses the collected data to acces the TJX central computer, and set up a series of new accounts
• using the new accounts, the hacker has access to all corporate data, from all over the world. A team of hackers (some says Russian & Bulgarian) then starts to steal information. They even sends encrypted messages about their current status and projects, so not to intrude each others areas
• They steal the database of credit card information, and use the cards in many different countries and states

The interesting part here is that TJX saved a few buck by setting up a cheap wireless solution in ONE single location. Their lack of security awareness, and the impact security has on their business has resulted in a trademark seriously damaged. They are beeing forced to investigate and change their systems. They will have to pay damage. Numbers like US$1billion has been discussed. A high price to pay to save only a few dollars. The good thing is that now it should be easier to convince the board of directors, owners and top management that security is a good thing to have, and that a few dollars spent is better than a huge loss when the accident happens.