Hi-Tech Heist

How Hi-Tech Thieves Stole Millions Of Customer Financial Records

Do you think twice when typing in your credit card number online, but have no problem handing over your plastic card at a store? Well actually, you may have it backward. Your personal information may be more secure in cyberspace than at the mall down the road.

That's because it's easier for dot-coms to protect the data. And most stores in America underestimate how vulnerable they are.

As correspondent Lesley Stahl reports, it's becoming a big problem. The retail industry got a wake-up call earlier this year, when TJX, the parent company of T.J. Maxx and Marshalls, disclosed it had suffered the worst high-tech heist in shopping history. Hackers raided the company's computer system, taking off with tens of millions of records. And what we have learned is: TJX could have prevented it.

"They collected too much personal information. They kept it too long. And finally, they didn't keep it according to appropriate security standards," says Canadian Privacy Commissioner Jennifer Stoddart, who led the investigation of the TJX theft for the Canadian government and the Province of Alberta, and released her findings before investigations in the U.S. are finished. TJX operates chains in both countries.

Asked if there's an actual place where the crime took place, Stoddart tells Stahl, "Yes, it seems that the intrusion happened at two Marshalls stores in the Miami area."

"Did the crime happen inside the stores or outside the store?" Stahl asks.

"This was a case of penetrating the network from without the stores because it is…a wireless network. You can then capture the wireless transmissions if they're not sufficiently encrypted," Stoddart says.

When you swipe your credit card, your data is often transmitted through a wireless router either to a bank for approval or to the store's main computer. But the signal carrying your information bleeds easily through the walls.

Stahl got her first lesson in something called "war driving" from Kris Harms, a computer forensic investigator for Mandiant, a computer security company, who showed her how hackers, outside in a van, can grab the stores' wireless data.

"So you and I are in this parking lot, and we park in front of one of these big stores. We can just pluck it, is what you're saying, right through the wall," Stahl remarked.

"Absolutely," Harms replied.

All you need, he says, is a regular computer; the software he got for free. Within moments, Stahl and Harms started getting results.

"Right now, we're right in front of Best Buy," Stahl remarked.

"Right so, Best Buy has a wireless network," Harms explained.

The computer identified which stores have wireless signals. Some stores hide their identities, others don't. Besides Best Buy, Staples popped up, and Home Depot -- with its signature color -- wasn't hard to identify either.

"It doesn't say Home Depot, but it says 'Orange,'" Stahl noted.

Those three stores told 60 Minutes the wireless signals Harms and Stahl detected do not link to their customer data-banks. But sometimes similar signals do lead hackers to computer systems where the data is held. Harms told 60 Minutes that stores should have security to prevent that.

"When wireless first became a technology for people to use, they realized that they needed a way to protect that data that's flying around in this cloud. So they designed WEP," Harms explains.

WEP was encryption code developed in 1999, just as big chains started going wireless. But within a couple of years, hackers had cracked WEP, rendering it obsolete. If you go on YouTube today, you can learn how to disable it in minutes.

Now, there's much better encryption code called WPA. In fact, credit card companies urge retailers to upgrade to WPA. But that's expensive, so many stores resist it even though hackers can tell who hasn't upgraded.

"It's saying WEP or WPA. That's telling you if they have good encryption devices," Stahl remarked, looking at Harms' computer.

"That's right," Harms replied.

"It's actually telling you that right on your computer?" Stahl asked.

"Absolutely," Harms said.

"That's amazing," Stahl said. "So are you able, with what you have right here in the car with us, to crack WEP right now?"

"Executing the attack is as simple as clicking a button and making it happen," Harms said. "You have pierced the first wall of what, hopefully is many."