Slashdot Mirror
TJX Fires Employee For Disclosing Vulnerability
I Don't Believe in Imaginary Property writes "A TJX employee was fired for an online post mentioning that TJX hasn't beefed up security after the recent, massive data breach that saw 94 million credit card numbers copied by criminals and money from their accounts stolen. The employee mentioned that, at first, their usernames were the same as their passwords. After they required stronger passwords, some managers complained, so they 'compromised' by allowing blank passwords. The whistleblower said he discussed his concerns with management, but that it was like talking to a brick wall. In spite of the weak internal security, TJX now has a firm that scours the internet to find bad things posted about them, which is how they found the message and fired him for it. Too bad they don't appear to have hired anyone to beef up operational security or to convince people to use strong passwords."
If you non-anonymously whistleblow on your own company what do you expect..
Who is TJX and how can I avoid doing business with them, but then I realized they were TJ Maxx and Marshall's and I don't do business with them anyways.
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
Sadly this is business as a whole. They would rather spend a little after the fact to defend rather than spend just a few dollars to beef up security before a problem occurs. Management is completely inept most times when it comes to security concerns.
Sounds like they were a shitty company anyways. I'm sure he'll be better off w/another company.
This was a server at one store, not the TJX headquarters where the data is kept.
I used the same password as this account, and obviously some people found out about it and have been posting under my username for ages! :(
Seriously, what did he expect, that a lazy corporation was going to reform its security policies because a 23-year-old hourly employee complained anonymously on a blog? And what did he think they were going to do when they caught him, give him a raise and a promise to change their cheap lazy ways?
SJW: Someone who has run out of real oppression, and has to fake it.
"So last August, Benson took to Sla.ckers.org, a website dedicated to web application security, and began anonymously reporting the shoddy practices in this user forum."
This guy should be promoted to CIO for the company and given carte blanc to clean house on the asshole who did not deal with the original issue. Until I hear that this guy is justly treated, we will not ever spend another penny in TJX stores. Enough of us and the CEO will be looking for a new job.
This data is implicitly safe now by the weak American Dollar, it would be like stealing Pesos.
I don't blame him at all. There is far too much incompetence out there regarding data security. I am lucky to work for a company that listens, but I have quite a few friends who work for companies that don't seem to give a damn. It's a shame.
To protect whistleblowers, aren't there? Although, that might only be in the government, and maybe government contractors. Not sure if it extends to the private sector.
The thing I'm puzzled about is, I thought that the electronic payment networks (MasterCard, Visa, Discover, Amex, etc) had very specific requirements for data security, including audits, which filter down to merchants (I realize that merchants don't generally do business directly with the networks [unless, maybe, they're Walmart or Sears], and instead go through intermediate companies that 'resell' the network services, but I thought the security requirements, and audit regimen, bubble down through the whole hierarchy?)
Here's the TJX web site [warning: Flash], where you'll learn that they are TJMaxx, Winners, Marshalls, HomeSense, HomeGoods, TKMaxx, AJWright, and Bob's Stores. You can also read a nice letter from the TJX president and CEO describing how they have "...worked diligently with some of the world's best computer security firms to further enhance our computer security."
Blank passwords. Wow. No bad guys would ever try that. Disclosing that policy would really compromise security, wouldn't it?
Hey, yeah, what was this guy thinking, doing the right thing in spite of the risks? He deserved to get screwed over, right? Everyone just play along, don't rock the boat, do what you're told, and shut the hell up. Thanks so much for sharing your sage wisdom and mature outlook.
Maybe he expected exactly what happened and blew the whistle anyway. So, wise elder, what would you have done?
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
Dear TJX,
We're the Slashdot community, and would like you to meet Ms Barbara Streisand, who can help you with your media relations problem.
Yours Truly,
Slashdot Community.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
If we don't talk about it, it'll go away. Shhh.
No security problem, not here. huh huh.
Laughter is the Spackle of the Soul.
Being a whistleblower means sacrifice. No one gives you a medal for doing the right thing, nor should you expect anything but scorn.
SJW: Someone who has run out of real oppression, and has to fake it.
Yes, things currently work that way. Things shouldn't work that way.
upon the advice of my lawyer, i have no sig at this time
Whining on a web forum isn't whistle blowing. Either report it up the management chain, or if that really isn't working, get a real reporter involved - do something that would actually do something, not just log on and whine.
I've got the same key for my ssh sessions (with apologies to Debian).
SIG: HUP
I think it is time you hired a more competent CIO, who makes it a priority to EXECUTE on security issues.
Assuming this is how things actually are, what makes you think this kid expected anything different? Where do you see him begging for a medal?
But it really sounds like you are going further, saying that not only is this how things are, but how they ought to be. It really sounds like you are coming down on the guy for doing the right thing.
Or maybe you are trying to say that everyone should be as cynical as you are? Maybe you believe that we should all expect to get fucked over for doing the right thing, and anyone who doesn't expect that is an idiot who deserves what they got.
Please clarify, do you think this guy got the treatment he deserves? Should we not be outraged here? I'm confused as to your motives for posting what you originally did.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
.... THIS GUY has a blank password for his computer. Look at him!
That is soooo a fake mustache and hairpiece. He has to be a double agent working for the opposition. Probably Target or Kmart or something like that. The whistleblower dude probably got to close to revealing the truth. Lucky he didn't end up in some cement shoes or some cheap knock off Chinese shoes that TJX sells at their stores.
On top of that I'm a bit suspicious to how privy the kid was to information above and beyond the immediate problem (ongoing work being done, the reasoning for the null passwords could have been a recently introduced bug, etc).
Fun quotes:
My store manager even posted the password and username on a post-it note. I told her not to do that.
I am not sure if this is just an isolated incident within this specific store, but it goes to show that you can't trust a company to protect your information, especially TJX
The article is never very specific regarding Nicks exact role at the store (network administrator? security auditor?) but leaves this tidbit:
while marking down items on the TJ Maxx retail floor, he was summoned to the store office.
So our insider informant was a...stock boy? A sales clerk? No offense but the whole process seems pretty screwy and all that I can get out of it was that he sacrificed his job (knowingly, and was fired appropriately) for either the better good or a small spot of geeky notoriety.
Quack, quack.
Since when is "allowing blank passwords" a compromise, and not stupid?
Web 2.0 == Giant Blogspam Circle Jerk
But things always have worked that way, and, most likely, always will work that way. It's just how life is, sadly.
..given past record "further" is exactly NOT where they ought to be heading :-).
Insert
It is ridiculous the passwords they let you use.. The whistleblower is true.. you can even have a one character password if you'd like. TJ Maxx hasn't beefed up security at all. I know I wouldn't pay with credit card there if I were you....
Blank passwords, might as well have no passwords....wait that's what they did. That pesky firewall keeps blocking things also, can we change it to default allow all to all?
Things will always work that way. Hippies will always be a minority. People will always be people, and you will never be in charge. Get used to it now.
...which means that your personal data is a free-for-all.
Meanwhile, in the civilised EU, we have data protection laws, which effectively come down to owning your own personally identifiable information (including your likeness e.g. in France) and having strict control over what firms may do with your data, with measures detailing how they're held liable if they fuck up.
TJX owns Winners and HomeSense up here in Canada... no possible way I'll be shopping in those stores after an event like this. (For two reasons, how this guy was treated, and how they handle sensitive data)
Although I've been hearing rumours of HomeSense being closed down anyhow.
Agreed. People die for the sake of doing the right thing. And not all of those people actually succeeded in the end.
So what? The potential enormity of the consequences shouldn't preclude anyone from doing what they think is right, though in this case, if he had been a bit more tactful about it, he might've been able to avoid this particular consequence. Nor should commenting on this perceived unfairness be shunned. This is the reality of the situation, and that's that.
Anyways, if something can be obtained with little or no sacrifice, it's not really worth that much, now is it?
Man, you know, now that I know that "people will always be people," I guess I can just dismiss the whole human rights movement, women's suffrage, equal rights, labor activism, and every other form of social progress as mere illusions.
Cynical assholes will always be losers. How's that bitterness treating you? Turned into cancer or heart disease yet? Don't worry, it will. Bitter and petty individuals rarely live long.
Maybe the real message here is not that people will never change. Maybe the message is that you are too small minded to change or grow, and you're bitter towards the majority of us who can and do.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
I see certain managers sending embarrassing emails to the entire office. ;)
Firing employees for publicly identifying security holes is a lot cheaper than actually fixing the holes (or grand canyon, in this case). After all, security holes aren't a problem if no one knows they're there.
Unless of course, they get slashdotted...
are you fucking stupid? he did the right thing.
Call the BSA on TJX.
That'll probably cost them plenty and the guy will get a reward for the tip!
Well, it really wasn't the "right thing" to do. If you're going to get all moral about it, then he signed some kind of confidentiality when he got hired. Doing the 'right thing' is not going to the general public and disclosing confidential internal company process. The 'right thing' would be to send it up the food chain through internal channels, possibly contact some investors, etc.
Then if he got fired he could sue the company for wrongful termination.
As it is, only the ISP and possibly the blog sites are liable.
If he really wanted to 'blow the whistle' then he should have gotten a piece of paper and a pencil and sent the information through snailmail. Major newspapers and TV outlets would be good starting points.
Posting on some random blog just shows he was talking smack about work, and wasn't trying to actually do anything for 'the good of the employees'.
To quote my own post, the one you replied to, "what was this guy thinking, doing the right thing in spite of the risks?"
That's called sarcasm, by the way.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
Like they say, "No good deed goes unpunished."
Sadly, these kinds of stories will only be increasing as the now-firmly-established corporatocracy starts consolidating power. In 20 years, we won't need to worry about the government, because they will be powerless too.
You are in a maze of twisty little passages, all alike.
http://www.cgisecurity.com/2008/05/11
Believe me, if I started murdering people, there would be none of you left.
In that case society has to make sure that data breaches are even more expensive. Does it take 1 million euros to secure a firm? Make sure that not doing so costs 10 million. Does it take a billion? Make the fine for non-complience 10 billion. If the problem is that managers take the route of least resistance, money-wise, make the secure option the route of least resistance.
P.S. Why is that post marked '4 Insightful'? Look at the article - we're talking blank passwords here!
Then they've found a Gold Mine here on Slashdot.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
joking around does not help remedy the situation.
So tell me, what DO they give you medals for?
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
This is the typical corporate bull, I remember when I worked for Safeway and they first installed self checkouts and every night you had to print credit card signatures which included every single person's full credit card number along with their signature. Even worse is managers would set the things to print and just walk off. These were not printed in a back room but on the actual check stands making it possible for anybody to just walk up and grab a set pile of peoples credit card information. Luckily Safeway fixed this problem but it took them a good 6 months to get around to it.
Sign this pledge if you will NOT shop at TJX stores until they improve security practices AND rehire the unjustly fired employee!
(508) 390-2323
We had a client that insisted on using trivial passwords. The CEO said he wanted trivial passwords or we were fired as consultants. His main reason was that he wanted any employee to be able to use any other employees account (no, having the ability for an admin to reset a password wasn't good enough). I compromised by allowing trivial passwords only on the local LAN. Any remote access required real passwords. The psychology worked pretty well - having remote access was associated with being a power user, able to handle advanced passwords. Not perfect, but a good compromise. The CEO wasn't a power user, and fortunately had no interest in remote access.
As a professional cynic, I resent the implication that the grandparent is cynical. No one naive enough to castigate someone for standing up for ideals is a true cynic. The true cynic believes the whistleblower shorted the stock before being fired for competence.
What is right is almost never easy.
If it were it wouldn't be something worth mentioning.
If you can read this, I forgot to post anonymously.
Nicely said.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
Yes, he sounds very noble for making an internet post. I'm sure everyone's much more secure because of it.
If he actually wanted to help anything, he'd have reported the company to the BBB or even the credit companies. He was just ranting about his company on an online forum. Of course he got fired! I'd have fired him, too. You just don't do that.
E pluribus unum
There ought to be a law prohibiting companies from firing whistleblowers.
who needs strong passwords when you can simply have tough-to-guess usernames.
Confidentiality agreement for working at a TJ Maxx??? Seriously???
Did you have to sign a non-compete when you got hired at McDonalds?
It's not just PCI fines that a merchant needs to think about: a bunch of banks sued TJX over the breach.
TJX just doesn't get it. They hired a team to look for insider negative postings, and considered that an increase in security. They consider the negative poster a rouge insider... but they can't seem to track down who was at fault for the massive breach that they suffered from. That's the person we really want fired.
What we, the people who used to shop at TJ Maxx, Marshalls, AJ Wright, HomeGoods, and Bob's Stores, are looking to see is that they can finally claim that they increased their security (using the same standards we expect on the web) so that nobody can intercept what we show the cashier, our credit card stripe data and signature, on its way to the credit card processing company they're using. Good encryption is freely available, great would be hearing that they hired a company that cares about it.
They're thinking about what directly impacts the bottom line (profits) while forgetting that what upsets the customers will directly impact the top line (sales) that will impact that bottom line too.
Maybe a bit on the young side for "elder", but I doubt I would have done things differently -- the first time, anyway. At some point, however, the need to have food on the table and a roof over my head gets to make the decision.
Reality bites -- you say what you really think and you get burned. You keep your head down and your mouth shut and you hate yourself. If you work hard enough and keep your mouth shut long enough, you might be lucky enough to find a position where you won't get fired for saying what you think. At least, that's what I'm counting on.
"Please describe the scientific nature of the 'whammy'" - Agent Scully
http://www.tjx.com/employment/life_brands.html I don't know who paid for it but I have had new credit cards issued not because I asked for them...kinda messed up my cookies for on line purchases. These guys suck.
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
Yeah that was my way of getting across locking your PC to a former helpdesk manager. Putting a note in 72pt font asking him to please lock his workstation didn't work repeatedly so I sent an email to the director of IT as him stating "I am an idiot who leaves my workstation unlocked, therefore anyone walking by can compromise the network". You should have seen him come running from his meeting when he saw it on his blackberry. The IT Director just laughed when he complained and told him not to be an idiot and to lock his machine as per company policy.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
Forexample:
BIG_b00bs_a how hard is that to remember?
another
P4ssw0rd5_suck_m3_0ff
Another:
ROY_G_B1V_aa
Jeez, there really isn't any excuse. I think they called this PAL in the Military.
How about the first few letters from the first words in a song or poem?
from Mary had a little lamb:
Mhallwfwwas&wmw12
or another
IXdKKaspdd_10
This can't remember password BS really annoys me.
Add to the fact that any computer system to day should lock down the computer after3 attempts..ah hell lets make it 5 attempts should prevent a brute force or dictionary attack from happens so changing your password isn't really that necessary any more, it's a hold out from 25 years ago when you could only have 8 characters, and there wasn't any lockout.
Since most people who implement security do not understand security and could do risk analysis if their life depended on it, I'm not surprised at the state of affairs in computer security.
And before someone who thinks they know what they are doing corrects me, yes, I do know there are some systems that need tighter security, like missile Codes. Having handled them I know a thing or 4 about them. I am talking about security for 99.99% of everyone else.
The Kruger Dunning explains most post on
sadly, complex systems would cost a ot of money to actuall secure, and even then someone will figure a way around the system because there is so much money at stake.
I can only thing of one way to minimize the risk to almost nothing. But that would be painful for the credit companies and the merchants.
Maybe we can't ever have real security. What's going to happen when we all ave these massively parallel systems sitting on our desktops? when people have 1000 128 core parallel machines bent to the task of cracking encryption AND another 1000 machines brute forcing?
This doesn't even take into consideration social engineering.
Maybe online money spending is doomed to die?
The Kruger Dunning explains most post on
Actually, many, if not all, banks allow you to drop bellow zero these days, and then ding you for the service fee, just like checks.
Also note, a lot of transactions, especially small ones, are NOT real time.
Ever sue your debit card, not have to enter a number? yeah.
Most parking meters post their data once an hour.
The Kruger Dunning explains most post on
Typical moron IT manager - "This monkey knows so much more than me I sh!t my pants every day. I better wave my dumb ass around really fast and find a way to fire him so I look good to my bosses, without actually solving the problem".
In a sane society you should get a medal for standing up for principles. Since there is no monetary reward for doing right there needs to be some other incentive to do things that benefit the community as a whole.
Having a society that only rewards big bucks and regardless how they are made is counterproductive and will undoubtfully lead to it imploding on itself.
HTTP/1.1 400
Overdraft fees are how they make their money now that "free checking" is the norm.
/. -- the Free Republic of technology.
I would have taken it down from the inside. I would have done, but I am far too involded in taking down a completely different company from the inside. If you like Vista, wait until the next version comes out.
Well, TJX may have really screwed themselves. This issue touches on internal controls, a topic near and dear to SOX (Sarbanes Oxley).
:-)
SOX actually has fairly strong protections for whistleblowers who are pointing out internal control issues.
If they didn't work to communicate internal whistleblower chnnels (anon contact to Board of Directors) or didn't respond to it, they are screwed.
Firing him - if he tried those channels or wasn't aware of them due to insufficient publicity - could well be a violation of SOX.
I would love to get this one to the shareholders
Jordan
...until he was fired.
Streissand effect in 3...2...1...
Being popular with your commander.
SJW: Someone who has run out of real oppression, and has to fake it.
I do not shop at any TJX store, but my CC company had to issue me a new card because of them.
Slightly OT, but maybe it'll help somebody - Wihout making any claims about his politics, I've been following this guy's very simple personal finance plan, and guess what? No possibility of credit card info being stolen (I suppose someone could still steal my ID) since it turns out that with a little common sense and discipline, they are totally unecessary.
Turns out taking a stand for yourself is much easier than trying to get the government or a large corporation to do it.
http://www.careers-tjx.com/tjx/jobboard/JobDetails.aspx?__ID=*8A2AD37F824665C4
I agree with you and believe that the era of largely anonymous web use is over. There are now too many large financial interests involved in the Internet, and those interests have the resources to track down anyone.
What is currently the best anonymizer solution out there? I tried JAP for a while, but it was slow, so I quit using it.
A work that expires before its copyright never enters the public domain and thus enjoys eternal copyright protection.
having a warlock main, I think they should nerf rouges :)
A blank password is actually pretty secure. Scenario 1: windows box logged in as a normal user most of the time (a POS for example)but with blank Admin account for specific tasks. For a remote hacker sitting in the car park this means no RDP, no runas, no Scheduled Tasks from which to use this Admin account. Windows doesn't allow this. Of course you can start > run > gpedit.msc > Windows Settings > security settings > local policies > security options and disable "limit local account use of blank passwords to console login only". However, this requires a lucky vnc into an admin session and isn't scalable. Scenario 2: the same setup but this time the Administrator account has a password. Lsa Protected Storage, Rainbow tables, repair/sam, other computers. Passwords (domain and local) are trivially easy to come by in windowsland. And with a password on the admin account this means runas etc will actually work. Take it from someone who has banged his head against blank window passwords in a (simulated*disclaimer)REMOTE hacking scenario. I would take a 20char password over a blank one any day.