Source code for Wal-Mart's point-of-sale computer system was hacked and siphoned into Eastern European computers in 2005 and 2006, Wired.com reported today. The scale of the attack calls into question whether major retailers have been adequately complying with credit-card security standards that have been in place for nearly a decade.
Because there was no evidence that consumer information was tampered with, Wal-Mart did not publicly disclose the breach, but did report it to federal law enforcement. Wal-Mart engineers discovered their system had been hacked into by a computer in Belarus after finding password-cracking code embedded in one of the company's servers. When the hacker tried to activate the tool, the sever crashed, raising a red flag. He had burrowed into the server using the VPN account of a former Wal-Mart employee; even as Wal-Mart IT staff were closing down that VPN account, he fired up two others and re-connected.
But because Wal-Mart's servers only track failed login attempts, not successful ones, it's impossible to know how many machines the hacker accessed. Similar breaches were occurring around the same times at TJX databases, parent company of Marshall's, as well as the Dave & Buster's arcade chain; hackers there used antennas to grab unsecured WiFi signals while sitting outside stores, and then used the data to hack into company servers.
Months before, an internal audit had found Wal-Mart's servers were caching thousands of credit card numbers unencrypted. There's no evidence of massive data theft, according to Wired.com, but the relative ease of the attacks is sobering: Wal-Mart and retailers like it are treasure-troves of consumer information. They also use homegrown software, not off-the-shelf solutions, because of the scale of their applications—that keeps accountability in-house and private. Can we trust them?