It sounds like someone traced back the TJX breach back to a store in Minnesota that employed WEP as their only(?) protection for their wireless system. While this is a simplistic announcement, it certainly is not the whole story.
This illustrates how just one weak part of a huge network (or business) like TJX can bring the whole thing down. You can roll out secured (?) wireless to 1,000 stores, but it just takes one store whose manager doesn’t quite understand the technology (should they really, though?) or one overlooked site by the techs doing the setup and you suddenly become a part of security and business history.
I also wonder where the layered protections were. Did this Minnesota store get automatically bridged into the corporate network that had access to all this sensitive data whizzing by? Did no one have any logs or tripwires up on anything to monitor access? How well did the attackers cloak themselves to look like innocuous or expected systems? Was anyone watching the wireless access logs, or anomalies in data collection/transfer that most probably occurred?
I see that the article mentions software patching was lax. I see that employee logins were sniffed (NTLM or clear text to proprietary system?). Sadly, for as much as we need details to improve security both at TJX and with PCI auditors (and the rest of us!), this is so costly that I doubt we hear more details for years until the courts release it. Did they ever rotate wireless passphrases? What was the real need for wireless in the first place?
So let’s say I’m in Minnesota and see a Marshall’s using WEP on their wireless network. I crack WEP and do some testing and practice some patience to make sure no one’s watching the access and that I don’t trip any IDS. Eventually I get comfortable enough to log onto the network and perform some stealth scans to see what I can see. I bet I can see a lot, including some unpatched machines which I can get a foothold into (in a best case scenario for me, I might just be right on the full corporate network through some dedicated VPN setup). This pretty much shows me that admins at TJX aren’t quite as diligent as they should be, which can put me and my cohorts at ease. From there, I can sniff on systems I own and pilfer what I can. Lack of software patching standards probably mean shared passwords everywhere too.
Blah blah blah…there’s plenty of places where TJX should have detected and or slowed down these attackers. Death by a 1000 cuts is becoming a pet phrase of mine…