Hacking the Real TJX Story

5:30 PM -- I got a hot tip from a reliable source a couple of days ago: The recent TJX breach was not your typical outside hacker job, as has been reported. (See TJ Maxx Probe Reveals Data Breach Worse Than Originally Thought.)

The source, who had gotten this inside scoop from someone with knowledge of the TJX breach, said the attackers actually walked into several TJ Maxx stores, posing as prospective job applicants.

As with many retailers, employment application kiosks reside in the back of the stores, so the attackers were sent to "fill out" their online applications. They then broke into the kiosks, according to the source, and installed some sort of hardware taps to help them steal data. The details get sketchy from there.

So I went about my reporting, first going to TJX. No return calls. (As of 4:30 p.m. EST, I still have not heard back from TJX PR. That was two messages ago.)

I pinged a hacker buddy, hoping he had some inside knowledge of the break-in, or knew someone who did. He did not, but he offered up some perspective on how such a break-in would work technologically, with tools such as KeyGhost, which installs in seconds and, once in place, remains undetected and reads all data typed into a keyboard.

This is assuming, of course, that the kiosks were connected to the corporate Intranet, or via a Web-based application, or a VPN tunnel, for instance, he says.

I also got some interesting perspective from Steve Stasiukonis, vice president and founder of Secure Network Technologies Inc. , who does social engineering for a living (for his clients). I was lamenting how difficult getting this information confirmed would be, and he suggested I go down to my local TJ Maxx store and just play dumb -- ask a few questions as a "customer," or even as a prospective employee to have a look at the kiosk in the back.

It sounded like fun, but ethically, I really couldn't social-engineer my local TJ Maxx manager to find out whether they have a kiosk in back, or how the data was compromised. And I prefer to use any spare cash I have for groceries, not bail.

Stasiukonis messaged me later to tell me he went it alone, acting as a "customer," phoning a store near his office and speaking to the store manager and assistant manager. But they didn't know much more than any of the rest of us: "The store manager said the breach happened at headquarters approximately two years ago," he told me, noting that both managers seemed to know little about the attack. Corporate folks had also told them it had happened at the national level, and that affected customers should call the telephone number in the letter TJX sent announcing the breach.

So, still no confirmed details on how this thing went down.

Stasiukonis, meanwhile, poses some good questions on the prospect of such a kiosk-based attack -- or any local attack on in-store machines -- if this did indeed go down as this source says. How would the attackers funnel data back to themselves exactly? Did they add a hardware device? Could they get other apps from the kiosk? Did they leverage the kiosk jack and put in a WLAN to get onto the TJ Maxx network? Could they pull this off more than once in the same location?

Will we ever really know? I mean, it took TJX years to either figure out or disclose that its systems had been compromised in the first place.

— Kelly Jackson Higgins, Senior Editor, Dark Reading