This is the first time I've heard anyone say anything about TJX doing something about their network security posture. But read between the lines here. WEP has been thrown under the bus, they've implemented WPA, but all of these credit card numbers lived in a database.
Is it safe to assume that the sa or sysdba password was different than the WEP key? OK, then maybe WEP wasn't the only problem? It's disingenuous to make WEP the scapegoat for what is a larger security failure. But, hey, at least they're using WPA now. Anybody taking bets as to whether or not it's WPA-PSK?