Could both be true? It’s unlikely, as both entry attempts were reprotedly successful, raising the question of why the second was attempted. Could TJX have actually been the victim of two simultaneous and unrelated attacks, one using wireless and the other a jobs kiosks that was not firewall-protected?

The kiosk rumors first surfaced in mid-March,. Now a new unconfirmed single-source InformationWeek story reports that the TJX data breach began with non-firewall-protected in-store kiosks as entry points.

Reported details about the breach's beginnings are still sketchy. A Wall Street Journal report in May—which has subsequently been confirmed to StorefrontBacktalk by other investigators—detailed a wireless beginning to the databreach. If the TJX kiosk reports prove true, it's not clear if there were two unrelated attacks or if it was one attack that used two very different entry attempts.

The two different approach theory seems unlikely as the reports suggest that both approaches were successful. A scenario with one approach being a backup for the other seems plausible, but why proceed with the backup plan if the initial effort worked? It's theoretically possible that the attackers used both methods simultaneously, but that also seems against the odds.

The latest version of the kiosk rumor, according to the InformationWeek story, is that the job-application kiosks—which had direct network access—were not firewall-protected. That's similar to the mid-March reports about TJX employment kiosks.

"The people who started the breach opened up the back of those terminals and used USB drives to load software onto those terminals," according to the IWEEK story. "The USB drives contained a utility program that let the intruder or intruders take control of these computer kiosks and turn them into remote terminals that connected into TJX's networks. The firewalls on TJX's main network weren't set to defend against malicious traffic coming from the kiosks. Typically, the USB drives in the computer kiosks are used to plug in mice or printers. The kiosks shouldn't have been on the corporate LAN, and the USB ports should have been disabled."