The Wall Street Journal reported today that the enormous theft of credit card numbers from TJX was not an inside job as previously reported but may have started with a compromise of the wireless network used in the stores. Those networks were "secured" with the obsolete WEP scheme which is easily cracked if one can gather enough packets. Apparently the thieves sat outside the stores during peak shopping periods, starting in July 2005, and grabbed the traffic from the store staff's hand-held price and inventory devices. They got enough packets to reconstruct the WEP key. Once they had that, they eavesdropped on other traffic, including employees logging into the corporate servers. According to the article, there was no firewall, VPN, or encryption of user passwords, so it was only a matter of time before the thieves had gathered enough credentials to create their own accounts and throught 0wn the corporate servers.