TJX e-mails tell the tale
Posted On Thursday, November 29, 2007 at at 11/29/2007 06:06:00 AM by nullExecutives at TJX Cos., which in January revealed a massive security breach that put millions of its customers’ personal information at risk, knew two years ago that the company’s wireless payment network was vulnerable to attack, according to court documents.
In 2005, TJX officials also discussed the need to update the company’s wireless network security to a more secure WiFi protected access (WPA) system and whether it could be deferred to save money, according to e-mail exchanges between TJX employees. The e-mails were included in court documents filed in a lawsuit brought by a group of banks against TJX.
The security breach, the nation’s largest, began in mid-2005 and was discovered by TJX in late 2006. TJX has since been accused of failing to safeguard customers’ information and faces a myriad of lawsuits. Canadian officials who conducted their own investigation said criminals hacked into TJX’s wireless networks while outside two Marshalls stores in Miami.
The e-mails reveal TJX executives’ concerns about the network.
“WPA is clearly best practice . . .” Paul Butka, TJX’s chief information officer, wrote in a Nov. 23 e-mail to other TJX employees. “I think we have an opportunity to defer some spending from FY ’07’s budget by removing the money from the WPA upgrade, but I would want us all to agree that the risks are small or negligible.”
In response, TJX employee Lou Julian sent an e-mail saying, “Saving money and being PCI compliant is important to us, but equally important is protecting ourselves against intruders.”
Julian wrote that the company was “vulnerable” with the wired-equivalent privacy encryption (WEP) standard it had in place. “It must be a risk we are willing to take for the sake of saving money and hoping we do not get compromised,” he wrote.
TJX vice chairman Donald Campbell in a statement said that TJX’s computer security prior to the breach was “similar to that of other large retailers.”
“These TJX internal e-mails are just a very small portion of the extensive, ongoing dialogue on the topic of WPA wireless network security and timing of spending which occurred at TJX,” Campbell said.
“TJX decided to move to WPA in advance of being required to do so by the payment card industry. Spending on WPA conversion was not deferred by TJX; in fact, it was accelerated and TJX completed conversion to WPA in advance of its conversion timetable and ahead of many major retailers.”