How Credit-Card Data Went Out Wireless Door

The biggest known theft of credit-card numbers in history began two summers ago outside a Marshalls discount clothing store near St. Paul, Minn. There, investigators now believe, hackers pointed a telescope-shaped antenna toward the store and used a laptop computer to decode data streaming through the air between hand-held price-checking devices, cash registers and the store’s computers. That helped them hack into the central database of Marshalls’ parent, TJX Cos. in Framingham, Mass., to repeatedly purloin information about customers.

The $17.4-billion retailer’s wireless network had less security than many people have on their home networks, and for 18 months the company — which also owns T.J. Maxx, Home Goods and A.J. Wright — had no idea what was going on. The hackers, who have not been found, downloaded at least 45.7 million credit- and debit-card numbers from about a year’s worth of records, the company says. A person familiar with the firm’s internal investigation says they may have grabbed as many as 200 million card numbers all told from four years’ records.

The previous record for card numbers exposed to thieves was 40 million. The TJX hackers also got personal information such as driver’s license numbers, military identification and Social Security numbers of 451,000 customers — data that could be used for identity theft. The company has apologized for its security lapse and beefed up its system. It rejects the 200 million figure as speculation, but says it may never know the precise number. TJX deleted its own copies of the records stolen by the hackers and can’t crack the encryption on files that the hackers left in its system.

{Are electronic health systems any more secure than TJX Companies’ system? How much health data today is transmitted over wireless networks and could be captured and decoded like the credit-card data from TJ Maxx, Home Goods and A.J. Wright? ~ Dr. Deborah Peel, Patient Privacy Rights}

Leave a Reply

Your email address will not be published. Required fields are marked *