> series: anatomy_of_a_breach —— part: 005 —— target: tjx_companies —— cards_compromised: 94,000,000 —— entry: store_wifi<span class="cursor-blink">_</span>_
In July 2005, Albert Gonzalez and two accomplices drove along South Dixie Highway in Miami with a laptop and a directional antenna, scanning for vulnerable wireless networks. They found what they were looking for at a Marshalls store — part of the TJX Companies retail group that also owns TK Maxx in the UK. The store's wireless network was protected by WEP (Wired Equivalent Privacy), a protocol that was already known to be trivially breakable. Within minutes, they were connected to the store's internal network. Within months, they had access to payment processing servers in Massachusetts and Watford, UK, and were siphoning payment card data from millions of transactions.
The intrusion lasted 18 months before being discovered in December 2006. By that time, the attackers had compromised an estimated 94 million payment card records — making it the largest data breach in history at the time. The total cost to TJX exceeded $256 million, and the breach prompted fundamental changes to wireless security standards, PCI DSS enforcement, and the way retailers think about their in-store networks.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping CallTJX operates as TK Maxx in the UK and Ireland. The breach directly impacted UK operations — the attackers accessed data stored on servers at TJX's European headquarters in Watford, Hertfordshire. While TJX later stated that no PIN data was believed to have been taken from UK-based systems, the breach exposed the personal information — including names, addresses, and driver's licence numbers — of UK customers who had used credit and debit cards at TK Maxx stores.
The UK Information Commissioner's Office investigated the breach, and it contributed to the growing pressure on the ICO to obtain stronger enforcement powers — a process that had begun with the HMRC breach the same year. The TJX breach demonstrated that a vulnerability in a single store in Miami could compromise customer data processed through servers in Watford — illustrating the interconnected nature of modern retail infrastructure and the global reach of local wireless security failures.
This breach is a textbook case for wireless penetration testing. A Wi-Fi assessment of any TJX or TK Maxx store would have immediately identified the use of WEP encryption and demonstrated that an attacker in the car park could connect to the store network and reach internal systems. Our wireless testing methodology — which we describe in our From the Hacker Desk article on Wi-Fi attacks from the car park — replicates exactly the approach Gonzalez used, in a controlled and authorised manner.
Beyond wireless testing, an internal infrastructure test would have identified the absence of network segmentation between the wireless network and payment processing systems. And a PCI DSS assessment would have flagged 9 of the 12 non-compliances that were later identified — any one of which should have triggered remediation before the attackers arrived.
The TJX breach was a wake-up call for wireless security — but 18 years later, we still find organisations with poorly secured Wi-Fi networks, inadequate segmentation between wireless and wired infrastructure, and guest networks that can reach production systems. The technology has improved (WPA3 is now the standard), but the implementation failures persist. If you have Wi-Fi networks in your organisation — corporate, guest, or IoT — and they have not been penetration tested, you have an unvalidated assumption about your security posture.
Our airspace and wireless security services assess your entire wireless footprint — including rogue access points, signal leakage, and the segmentation between wireless and wired networks. For incident response when a wireless breach is suspected, our parent company UK Cyber Defence provides forensic investigation and containment. And SOC in a Box provides continuous monitoring that detects the lateral movement and data exfiltration that defined this 18-month intrusion.
Our <a href="/blog/wifi-penetration-testing-of-companies">Wi-Fi penetration testing</a> replicates the exact attack methodology used against TJX — from the car park to the payment server. Combined with <a href="/penetration-testing/network">network segmentation testing</a> and <a href="/penetration-testing/pci-dss">PCI DSS assessment</a>, we verify that your wireless networks cannot be used as an attack vector.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping Call