TJX Fires Employee For Disclosing Vulnerability

← Back to Stories (view on slashdot.org)

TJX Fires Employee For Disclosing Vulnerability

Posted by kdawson on Tuesday May 27, 2008 @08:57AM from the shoulda-used-wikileaks dept.

I Don't Believe in Imaginary Property writes "A TJX employee was fired for an online post mentioning that TJX hasn't beefed up security after the recent, massive data breach that saw 94 million credit card numbers copied by criminals and money from their accounts stolen. The employee mentioned that, at first, their usernames were the same as their passwords. After they required stronger passwords, some managers complained, so they 'compromised' by allowing blank passwords. The whistleblower said he discussed his concerns with management, but that it was like talking to a brick wall. In spite of the weak internal security, TJX now has a firm that scours the internet to find bad things posted about them, which is how they found the message and fired him for it. Too bad they don't appear to have hired anyone to beef up operational security or to convince people to use strong passwords."

4 of 217 comments (clear)

Min score:

Reason:

Sort:

Re:I was about to say... by Anonymous Coward · 2008-05-27 09:06 · Score: 5, Informative

It doesnt matter if you do not do buisness directly with TJX or whomever you do not like.... if you use a check or a CC when making a purchase odds are it goes through one of a few companies for processing. I used to work for a financial institution that leaked 20+million personal info to the world.... so, did you make any purchases at bestbuy or compusa last year? if so, your name was probably in the lot.
RTFA by Anonymous Coward · 2008-05-27 09:06 · Score: 5, Informative

"So last August, Benson took to Sla.ckers.org, a website dedicated to web application security, and began anonymously reporting the shoddy practices in this user forum."
1. Re:RTFA by TubeSteak · 2008-05-27 09:26 · Score: 5, Informative
  
  began anonymously reporting the shoddy practices in this user forum." He was the squeaky wheel at the store, then went online and squeaked some more.
  http://ha.ckers.org/blog/20080522/tjx-whistle-blower/
  They tracked him down by IP (we're still not completely sure how they did this, but we think it may have to do with a DynDNS account he uses), contacted his ISP to find out who he was, brought him into the office, questioned him about what he found, asked for him to write down his thoughts on how to fix the issues and then promptly fired him. Long story short: You aren't anonymous unless you're going through an anonymous overseas proxy or three.
  At least it'll be harder to get your IP from a foreign company.
  
  --
  [Fuck Beta]
  o0t!
Re:One store by Anonymous Coward · 2008-05-27 09:35 · Score: 5, Informative

"This was a server at one store, not the TJX headquarters where the data is kept"

The original loss of data was caused by weak passwords on wireless routers. War dialers parked outside a store (or stores) captured data that was then used to collect millions of credit card numbers from the HQ servers. One of the problems was that TJX kept CC numbers on file long after they had any use for the information. This is a case where bad security at one store compromised the whole corporation. Sounds like nothing has changed