The indictment of Albert Gonzalez gives some interesting insights into exactly how TJX was hacked–a breach of 94 million customer records. While the indictment is a bit vague, it’s still striking how basic the attack was and how easily (in retrospect) it could have been prevented.
This breach began when the hackers compromised a wireless access point in a store in Florida. They found this simply by driving around businesses looking for wireless access (“wardriving”). This compromise could have been prevented by using stronger encryption on the access point. Old wireless encryption (WEP) is notoriously easy to break. The indictment points out that some stores (BJ’s Wholesale—not TJX) had no encryption at all on their wireless at all.
The hackers then gained access to servers in Framingham containing card data. They used this to both directly obtain cardholder data and to install a sniffer. While the techniques they used to obtain this access aren’t specified, they should have been able to be prevented by either firewall rules or proper server patching.
The hackers then set up a VPN tunnel from the transaction server to an external server and used this to extract data. This outbound connection should easily have been prevented by firewall rules. In fact, PCI explicitly requires firewalls to block this type of connection.
Next post: How Heartland got hacked
