New details have emerged about what has become the largest consumer data theft to date. TJX, parent company of discount retailers T.J. Maxx and Marshalls, disclosed in a regulatory filing in late March that hackers had stolen data covering over 45 million credit and debit cards over an 18-month period. The Wall Street Journal has done some digging (subscription), and what has come to light is a sad tale of poor security and corporate irresponsibility. Unfortunately, we've seen it all before.

A ThinkPad and an empty Pringles can?

It all started in July 2005 with a laptop and a directional antenna. Some enterprising hackers set up shop outside of a Marshalls store near St. Paul, MN and quickly cracked the security on the store's WiFi network. The Journal reports they there were then able to access just about all of the data flowing around the store and were eventually able to locate and compromise TJX's central customer database at its corporate headquarters in Framingham, MA.

In addition to pilfering over 45 million—and possibly as many as 200 million—credit card and debit card numbers, the hackers were also able to obtain other personal data from over 450,000 customers. This included driver's license numbers and Social Security numbers.

The cost has been immense. By the time that the intrusion was discovered in mid-December 2006, the credit card data stolen had been disseminated far and wide. Forrester Research estimates that when all is said and done, TJX could be on the hook for over $1 billion in costs related to the breach during the next five years.

So far, the costs of the fraudulent transactions have been borne by the banks and credit card companies, but TJX will likely have to provide restitution. A number of banks have sent letters to the retailer demanding reimbursement for fraudulent charges caused by the data breach. One group of almost 300 banks in New England have filed a class-action lawsuit accusing TJX of gross negligence in failing to protect consumer data with adequate security measures.

2001 called and it wants its state-of-the art WiFi security back

In many ways, "gross negligence" doesn't even begin to describe TJX's blunder. When I first discovered that the retailer was relying on WEP to secure its store networks, I was stunned. WEP has been known to be incredibly easy to hack since the first cracks were demonstrated in 2001.

When we wrote our Wireless Security Blackpaper in July 2002, we pointed out the weaknesses of both 40-bit and 104-bit WEP. At the time, that security protocol had already been cracked, and since then, the cracks have become ludicrously easy: a group of German researchers revealed last month that they were able to discover the key to a 104-bit WEP-encrypted network in under two minutes using a 1.7GHz Pentium M to do the heavy lifting.

Equally alarming is the length of time that elapsed between when the hackers first compromised TJX's network and when their numerous intrusions were discovered. When taken together, it paints a picture of a company that was careless with its corporate network and, as a result, careless with its customers' personal data.

Companies playing fast and loose with consumers' personal data have become a sadly familiar story. In 2005, credit card processor CardSystems revealed that millions of credit card numbers—which CardSystems had retained in violation of its agreement with Visa and MasterCard—were stolen by hackers. Again, lax security was to blame, and the fact that Visa and American Express decided to terminate their payment processing agreements with CardSystems was little comfort to the millions of people who had their card numbers stolen.

The time for talking has passed

It's troubling that after years of data breaches, little has been done to address the underlying problems. After both the CardSystems data theft and another 2005 incident involving data services company ChoicePoint, politicians began making noise about enacting stricter controls over how consumer data is collected and disseminated, as well as forcing companies to reveal to customers when data thefts occur (only a handful of states, including California, currently require companies to notify customers of data breaches).

Such legislation is needed on the federal level. Consumers should be notified within a short period after their personal data is compromised. In addition, the amount of personal data companies are allowed to maintain on customers without their express consent should be severely limited. Congress should also ban the sale of Social Security numbers, as it considered doing in 2005 in the wake of the ChoicePoint fiasco. Most importantly, companies like TJX, CardSystems, and ChoicePoint, who are ultimately responsible for the data breaches, should be heavily penalized. What I said in June 2005 bears repeating: those trafficking in consumer data have proven themselves completely incapable of self-regulation. It's time for Congress to step up to the plate and hold those responsible for the problem accountable.