By Donna Goodison
November 28, 2007
Executives at TJX Cos., which in January revealed a massive security
breach that put millions of its customers personal information at risk,
knew two years ago that the companys wireless payment network was
vulnerable to attack, according to court documents.
In 2005, TJX officials also discussed the need to update the companys
wireless network security to a more secure WiFi protected access (WPA)
system and whether it could be deferred to save money, according to
e-mail exchanges between TJX employees. The e-mails were included in
court documents filed in a lawsuit brought by a group of banks against
The security breach, the nations largest, began in mid-2005 and was
discovered by TJX in late 2006. TJX has since been accused of failing to
safeguard customers information and faces a myriad of lawsuits. Canadian
officials who conducted their own investigation said criminals hacked
into TJXs wireless networks while outside two Marshalls stores in Miami.
The e-mails reveal TJX executives concerns about the network.
WPA is clearly best practice . . . Paul Butka, TJXs chief information
officer, wrote in a Nov. 23 e-mail to other TJX employees. I think we
have an opportunity to defer some spending from FY 07s budget by
removing the money from the WPA upgrade, but I would want us all to
agree that the risks are small or negligible.
In response, TJX employee Lou Julian sent an e-mail saying, Saving money
and being PCI compliant is important to us, but equally important is
protecting ourselves against intruders.
Julian wrote that the company was vulnerable with the wired-equivalent
privacy encryption (WEP) standard it had in place. It must be a risk we
are willing to take for the sake of saving money and hoping we do not
get compromised, he wrote.
TJX vice chairman Donald Campbell in a statement said that TJXs computer
security prior to the breach was similar to that of other large
"These TJX internal e-mails are just a very small portion of the
extensive, ongoing dialogue on the topic of WPA wireless network
security and timing of spending which occurred at TJX," Campbell said.
TJX decided to move to WPA in advance of being required to do so by the
payment card industry. Spending on WPA conversion was not deferred by
TJX; in fact, it was accelerated and TJX completed conversion to WPA in
advance of its conversion timetable and ahead of many major retailers.
Visit InfoSec News