Slashdot Mirror

← Back to Stories (view on slashdot.org)

TJX Fires Employee For Disclosing Vulnerability

Posted by kdawson on from the shoulda-used-wikileaks dept.

I Don't Believe in Imaginary Property writes "A TJX employee was fired for an online post mentioning that TJX hasn't beefed up security after the recent, massive data breach that saw 94 million credit card numbers copied by criminals and money from their accounts stolen. The employee mentioned that, at first, their usernames were the same as their passwords. After they required stronger passwords, some managers complained, so they 'compromised' by allowing blank passwords. The whistleblower said he discussed his concerns with management, but that it was like talking to a brick wall. In spite of the weak internal security, TJX now has a firm that scours the internet to find bad things posted about them, which is how they found the message and fired him for it. Too bad they don't appear to have hired anyone to beef up operational security or to convince people to use strong passwords."

19 of 217 comments (clear)

  1. I was about to say... by vertinox · · Score: 4, Informative

    Who is TJX and how can I avoid doing business with them, but then I realized they were TJ Maxx and Marshall's and I don't do business with them anyways.

    --
    "I am the king of the Romans, and am superior to rules of grammar!"
    -Sigismund, Holy Roman Emperor (1368-1437)
    1. Re:I was about to say... by Anonymous Coward · · Score: 5, Informative

      It doesnt matter if you do not do buisness directly with TJX or whomever you do not like.... if you use a check or a CC when making a purchase odds are it goes through one of a few companies for processing. I used to work for a financial institution that leaked 20+million personal info to the world.... so, did you make any purchases at bestbuy or compusa last year? if so, your name was probably in the lot.

  2. One store by Anonymous Coward · · Score: 4, Informative

    This was a server at one store, not the TJX headquarters where the data is kept.

    1. Re:One store by Anonymous Coward · · Score: 5, Informative

      "This was a server at one store, not the TJX headquarters where the data is kept"

      The original loss of data was caused by weak passwords on wireless routers. War dialers parked outside a store (or stores) captured data that was then used to collect millions of credit card numbers from the HQ servers. One of the problems was that TJX kept CC numbers on file long after they had any use for the information. This is a case where bad security at one store compromised the whole corporation. Sounds like nothing has changed

    2. Re:One store by darkmeridian · · Score: 4, Informative

      The war dialers logged into TJX HQ servers and were able to install applications that sniffed network traffic and logged passwords. TJX not only kept CC numbers long after they had any use for the information, they also kept transactional CC data that was not supposed to be kept after a transaction was done.

      --
      A NYC lawyer blogs. http://www.chuangblog.com/
  3. RTFA by Anonymous Coward · · Score: 5, Informative

    "So last August, Benson took to Sla.ckers.org, a website dedicated to web application security, and began anonymously reporting the shoddy practices in this user forum."

    1. Re:RTFA by TubeSteak · · Score: 5, Informative

      began anonymously reporting the shoddy practices in this user forum." He was the squeaky wheel at the store, then went online and squeaked some more.
      http://ha.ckers.org/blog/20080522/tjx-whistle-blower/

      They tracked him down by IP (we're still not completely sure how they did this, but we think it may have to do with a DynDNS account he uses), contacted his ISP to find out who he was, brought him into the office, questioned him about what he found, asked for him to write down his thoughts on how to fix the issues and then promptly fired him. Long story short: You aren't anonymous unless you're going through an anonymous overseas proxy or three.
      At least it'll be harder to get your IP from a foreign company.
      --
      [Fuck Beta]
      o0t!
    2. Re:RTFA by conlaw · · Score: 4, Informative

      AFAIK, there is no federal law that would apply in this situation and the only Kansas statute that I could find on whistleblowing applies only to government employees. However, there appear to be a couple of Kansas cases holding that firing someone for whistleblowing is against public policy.

  4. In case you're wondering who TJX is... by Anonymous Coward · · Score: 4, Informative

    Here's the TJX web site [warning: Flash], where you'll learn that they are TJMaxx, Winners, Marshalls, HomeSense, HomeGoods, TKMaxx, AJWright, and Bob's Stores. You can also read a nice letter from the TJX president and CEO describing how they have "...worked diligently with some of the world's best computer security firms to further enhance our computer security."

    Blank passwords. Wow. No bad guys would ever try that. Disclosing that policy would really compromise security, wouldn't it?

  5. Re:Another 23 year old realizes that McJobs suck by dgatwood · · Score: 2, Informative

    Remember, kids, like TSA Panda says, the appearance of security is more important than actual security.

    BTW, Sarbanes-Oxley has whistleblower protection that may get this company in deep, deep s**t for firing this blogger....

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  6. Re:um duh by cyphercell · · Score: 2, Informative

    Here's where the company gets in trouble:

    https://www.pcisecuritystandards.org/tech/

    which is funny, I used to work upgrading old credit card systems for the pci dss, the scuttlebut at the time was that TJX was the REASON for implementing the DSS in the first place. TJX ought to have the Credit Co.s run a train on 'em for this shit.

    --
    Under the influence of Post-Cyberpunk Gonzo Journalism
  7. Re:I think there are laws. . . by athakur999 · · Score: 4, Informative

    The whistleblower protection laws in the USA protect an employee from termination for reporting the employer acting illegally. Shoddy security may be stupid but I don't know if it's illegal or not. Also, the employee needs to be reporting to the proper authority, not a random Internet forum.

    --
    "People that quote themselves in their signatures bother me" - athakur999
  8. Additional Information by mrkitty · · Score: 3, Informative


    http://www.cgisecurity.com/2008/05/11

    --
    Believe me, if I started murdering people, there would be none of you left.
  9. Re:I think there are laws. . . by zerocool^ · · Score: 2, Informative

    http://en.wikipedia.org/wiki/PCI_DSS

    Ask me how I know... ClamAV and I have become more familiar than I ever thought possible.

    --
    sig?
  10. Re:I think there are laws. . . by Anonymous+Brave+Guy · · Score: 3, Informative

    I think you've pretty much got to the root of the problem there: if this behaviour isn't criminally negligent, it should be. In a world where identity theft is one of the fastest growing (and most damaging) crimes in town, dealing with a business that has previously shown itself to be incompetent in handling personal data and is actively avoiding improving the situation, it's time to start throwing the directors in jail.

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  11. Re:Does the CEO condone this firing act? by Kingrames · · Score: 2, Informative

    The problem being that everyone under him will be suffering far more, for far longer, because of a protest like that.

    --
    If you can read this, I forgot to post anonymously.
  12. Re:Another 23 year old realizes that McJobs suck by dgatwood · · Score: 3, Informative

    The heck it didn't. It had to do with a complete lack of security on computer systems that were used in financial transactions. It's hard to keep accurate financial records if key financial systems can be trivially compromised. It also represents a HUGE threat to the financial viability of the company, and technically, failure to include such risks as part of your regular corporate reporting to the SEC is a pretty major case of investor fraud, which was the whole point of Sarbanes-Oxley....

    Sadly, covering up security problems seems to be the norm in banking circles. Really gives you a lot of trust in their ability to guard your money, doesn't it?

    Oh, and here's a similar story from 2005 that also suggests that this is likely SarbOx territory.

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  13. The cost to TJX by Beryllium+Sphere(tm) · · Score: 2, Informative

    It's not just PCI fines that a merchant needs to think about: a bunch of banks sued TJX over the breach.

  14. Re:Another 23 year old realizes that McJobs suck by Anonymous Coward · · Score: 1, Informative

    Sorry folks, it's not an hourly employee that's doing this. They don't have computer access or passwords beyond the one used to log into the registers. I was there once; it was a college job. That may have changed with the computer upgrades that happened after I left, but I doubt it. The reason for the firings is that in the paperwork you sign, you specifically agree not to post information about the company onto blogs, message boards, etc. while employed. Doing so was stated as grounds for termination, end of story. I gave my notice years ago, but since I might need the character reference one day, I'm still posting as AC.