Slashdot Mirror

← Back to Stories (view on slashdot.org)

TJX Fires Employee For Disclosing Vulnerability

Posted by kdawson on from the shoulda-used-wikileaks dept.

I Don't Believe in Imaginary Property writes "A TJX employee was fired for an online post mentioning that TJX hasn't beefed up security after the recent, massive data breach that saw 94 million credit card numbers copied by criminals and money from their accounts stolen. The employee mentioned that, at first, their usernames were the same as their passwords. After they required stronger passwords, some managers complained, so they 'compromised' by allowing blank passwords. The whistleblower said he discussed his concerns with management, but that it was like talking to a brick wall. In spite of the weak internal security, TJX now has a firm that scours the internet to find bad things posted about them, which is how they found the message and fired him for it. Too bad they don't appear to have hired anyone to beef up operational security or to convince people to use strong passwords."

32 of 217 comments (clear)

  1. um duh by Brian+Gordon · · Score: 3, Insightful

    If you non-anonymously whistleblow on your own company what do you expect..

    1. Re:um duh by gnosi · · Score: 5, Insightful

      Have they not learned from the others that have gone on before them. It is not the original error that will get you, but how you cover up your error that does.

      Anyone remember Nixon... and a few others.

      -- sig.com not found post halted

  2. Sad State of Affairs by PacketScan · · Score: 3, Insightful

    Sadly this is business as a whole. They would rather spend a little after the fact to defend rather than spend just a few dollars to beef up security before a problem occurs. Management is completely inept most times when it comes to security concerns.

    1. Re:Sad State of Affairs by BSAtHome · · Score: 2, Insightful

      Everything that is The Right Thing(TM) is tech talk and is normally not understood by management. Techs and management speak different languages which often cause them to work against each other. This is sad but true and this story is another example. Management sees the cost in monetary terms (often short term), whereas the tech sees the cost in a much broader sense (often long term). The inherent conflict can be solved, or at least minimized, if you can find an intermediate who can translate between the layers.

    2. Re:Sad State of Affairs by Thelasko · · Score: 2, Insightful

      Sadly this is business as a whole. They would rather spend a little after the fact to defend rather than spend just a few dollars to beef up security before a problem occurs. Management is completely inept most times when it comes to security concerns. Not just security concerns, but any issue. Since their inception, companies have developed policies of less customer service, less security, and an overall goal to screw over the customer. The internet is a means to cure all of those issues because if provides the medium for consumers to organize and retaliate against this tyranny. Unfortunately, instead of improving the overall performance of the company, management chooses to troll forums in attempts to suppress any unfavorable comments about them.

      Corporations, take a lesson from the MPAA and the AACS LA. Once it hits the internet, it's too late!
      --
      One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
    3. Re:Sad State of Affairs by Anonymous Coward · · Score: 5, Insightful

      What security people don't understand is that good security can be very, very, VERY expensive. Far more expensive than some simple PR. I'm not just talking about the up-front cost of doing security right in the first place, but the less noticeable costs of user training, user re-training, tech support, lost productivity (senior manager forgot his admin password), and the cost of letting people go who are very valuable and good at their jobs but too stupid to follow the proper security protocols.

      Good managers understand this and realize that spending that much money on protecting something that's really not very important to the company (customer identities) is just not good business. Until people start hearing on the nightly news that "TJMaxx gave your credit information to terrorists who used it to buy nuclear weapons and assassinate Jesus," the negative publicity they'll suffer is negligible.

    4. Re:Sad State of Affairs by eric76 · · Score: 2, Insightful

      I suspect that the most expensive of all is trying to teach the president of a company that running open wireless routers is a very serious security problem.

      It might be easier to convince an alligator to voluntarily become a vegetarian.

    5. Re:Sad State of Affairs by twiddlingbits · · Score: 2, Insightful

      It doesn't have to get as far as terrorists and nukes if the Credit Card companies would enforce the penalties for non-compliance to the PCI Standard. I know that the credit card processing agreement that my s.o. business has indicates that if your firm is "leaking" card numbers due to inadequate security they can penalize UP TO the removal of your firm priveleges to accept credit cards. Seeing as how many retail stores get 50%+ of their sales from Credit Cards or branded debit cards that would be a big hurt if they had thier acceptance revoked. Just to be clear I've never seen or heard of this credit card death penalty being applied as it would hurt Visa/MC/Amex too as they wouldn't be getting fees on each sale (which can be 3-5%). So penalizing TJX could cost Visa/MC/AMEX a large sum of money. IMHO a better way would be to keep increasing the cut the card companies get when a firm has sucky security until it's gets too expensive NOT to fix the problem.

    6. Re:Sad State of Affairs by Tom · · Score: 3, Insightful

      What security people don't understand is that good security can be very, very, VERY expensive. Maybe. But the point here wasn't about good security it was about minimum security.

      Good security can be expensive. But adequate security is fairly cheap. "password == username" and "blank password" are essentially equal to "no password". Having any password at all, even if it's weak from the POV of a security expert (say, a word from the dictionary) is still a whole lot better than having no password. And it's not very expensive. A billion people in millions of companies manage to remember their login password from monday through friday, and sometimes even over the weekend. I'm sure with just a little training, TJX managers would be able to do that, too.
      --
      Assorted stuff I do sometimes: Lemuria.org
  3. Another 23 year old realizes that McJobs suck by elrous0 · · Score: 3, Insightful

    Seriously, what did he expect, that a lazy corporation was going to reform its security policies because a 23-year-old hourly employee complained anonymously on a blog? And what did he think they were going to do when they caught him, give him a raise and a promise to change their cheap lazy ways?

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
  4. Good for him by sleekware · · Score: 3, Insightful

    I don't blame him at all. There is far too much incompetence out there regarding data security. I am lucky to work for a company that listens, but I have quite a few friends who work for companies that don't seem to give a damn. It's a shame.

    1. Re:Good for him by jamstar7 · · Score: 2, Insightful

      At least you can put on record that you tried to implement more security, and it was rejected, so therefore beyond your control.

      It may be beyond your control, but it'll still be your responsibility if that's the way they wrote up your job description. Plus, it's a good way to get rid of somebody in the IT department. Doesn't matter if you don't have the authority to do the job, you're still stuck with the responsibility to get it done, and complaining to Those On High about said lack of authority will just get you a reputation as a whiner, and thus, the first guy out the door the next time there's a security breach.

      Hey, it's cheaper to ignore any breaches than it is to fix them.

      --
      Understanding the scope of the problem is the first step on the path to true panic.
  5. I think there are laws. . . by JSBiff · · Score: 4, Insightful

    To protect whistleblowers, aren't there? Although, that might only be in the government, and maybe government contractors. Not sure if it extends to the private sector.

    The thing I'm puzzled about is, I thought that the electronic payment networks (MasterCard, Visa, Discover, Amex, etc) had very specific requirements for data security, including audits, which filter down to merchants (I realize that merchants don't generally do business directly with the networks [unless, maybe, they're Walmart or Sears], and instead go through intermediate companies that 'resell' the network services, but I thought the security requirements, and audit regimen, bubble down through the whole hierarchy?)

    1. Re:I think there are laws. . . by kmahan · · Score: 4, Insightful

      And who would the "proper authority" be in this case? His management doesn't care.

      Apparently PCI Compliance doesn't allow for input from the "little people" -- or would someone care to post a link that allows for submitting information to them?

      --
      Invalid Checksum. Retrying.
    2. Re:I think there are laws. . . by TubeSteak · · Score: 3, Insightful

      The whistleblower protection laws in the USA protect an employee from termination for reporting the employer acting illegally. Yea and construction workers can legally refuse to work on an unsafe site.
      Neither set of laws will keep you from getting fired for coming back from lunch 3 minutes late.

      If your company wants a reason to fire you, unless you're perfect, they'll find one.
      --
      [Fuck Beta]
      o0t!
    3. Re:I think there are laws. . . by drinkypoo · · Score: 2, Insightful

      Shoddy security may be stupid but I don't know if it's illegal or not.

      It probably is illegal, because it's probably fraudulent, not least if you make any kind of claims to being at all concerned about security and then knowingly put into place bad policies like allowing blank passwords. I mean, even if you're a total idiot you can see how that's a bad thing. You've got a secret club, right? And someone comes up and your bouncer says "what's da passwoid?" and he says nothing, and the bouncer says "okay come in den". I mean that makes no sense to anyone, right? So blank passwords clearly fail the common sense test.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    4. Re:I think there are laws. . . by Pepebuho · · Score: 4, Insightful
      I am not a lawyer, but I think there might be some way to tie Sarbanes-Oaxley into this.
      As a Public Company, TJX is subject to Sarbanes Oaxley.

      Section 302 demands the certification of Internal Control on Financial data. With such shoddy password system I fail to see how they can comply with it.
      Section 404 demands management to assess risk and solve it
      Section 802 accrues criminal penalties for violations to Sarbanes Oaxley and (TADAM!!!)
      Section 1107 accrues criminal penalties for retaliations against whistleblowers.

      I think this guy should get hold of Section 1107 and run it for all it is worth!!!!

      From Wikipedia:
      http://en.wikipedia.org/wiki/Sarbanes-Oxley_Act

      Section 1107 of the SOX 18 U.S.C. 1513(e) states:[23]

      " Whoever knowingly, with the intent to retaliate, takes any action harmful to any person, including interference with the lawful employment or livelihood of any person, for providing to a law enforcement officer any truthful information relating to the commission or possible commission of any federal offence, shall be fined under this title, imprisoned not more than 10 years, or both. I am not sure if posting to a blog could be construed as "providing to a law enforcement officer any truthful information bla bla bla", but I think this is his best shot.

      My 2 cents
    5. Re:I think there are laws. . . by Xiaran · · Score: 2, Insightful

      SO where are the Credit Card companies in all this. Surely their ass in on the line for fraudulent use of leaked CC information. I would think VISA and Mastercard could step in and insist that this company clean up its security or else disallow payments originating from them.

  6. Re:Another older guy loses his capacity for outrag by elrous0 · · Score: 5, Insightful

    Being a whistleblower means sacrifice. No one gives you a medal for doing the right thing, nor should you expect anything but scorn.

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
  7. Re:Another older guy loses his capacity for outrag by compro01 · · Score: 4, Insightful

    Yes, things currently work that way. Things shouldn't work that way.

    --
    upon the advice of my lawyer, i have no sig at this time
  8. Re:Another older guy loses his capacity for outrag by spun · · Score: 4, Insightful

    Assuming this is how things actually are, what makes you think this kid expected anything different? Where do you see him begging for a medal?

    But it really sounds like you are going further, saying that not only is this how things are, but how they ought to be. It really sounds like you are coming down on the guy for doing the right thing.

    Or maybe you are trying to say that everyone should be as cynical as you are? Maybe you believe that we should all expect to get fucked over for doing the right thing, and anyone who doesn't expect that is an idiot who deserves what they got.

    Please clarify, do you think this guy got the treatment he deserves? Should we not be outraged here? I'm confused as to your motives for posting what you originally did.

    --
    - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
  9. Re:Good for them by quanticle · · Score: 2, Insightful

    Perhaps he didn't trust that the reporter would keep his identity secret? Or, more likely, perhaps there wasn't a reporter interested in the matter. The increasing declines in local journalism, combined with the fact that reporters and technology have traditionally gotten along about as well as oil and water, has meant that often there are no reporters willing to take on a data-breach story. Especially if the person cannot make some kind of sensationalist "your credit cards just got handed to the Russian Mafia", or "Think of the children!!" kind of plea, its quite likely that no reporter was interested in taking the story.

    --
    We all know what to do, but we don't know how to get re-elected once we have done it
  10. Re:RTFA by immcintosh · · Score: 5, Insightful

    If there's anybody he can sue, it would only be his ISP for divulging his information without his permission and also without a warrant. While the company was certainly out of line in the lengths they went through to accomplish this, there's nothing ILLEGAL about discovering an internet persona's true identity. They were perfectly free to ask all the questions they did. Whether the ISP had any right to divulge that information is another matter I don't really care to guess on.

  11. Re:RTFA by mwvdlee · · Score: 5, Insightful

    Asking somebody to break the law can be illegal too, depending on the exact details.
    Trouble is, due to their own well-documented incompetence in security, they'd have a pretty good chance to claim they simply didn't know it was illegal.

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  12. Re:RTFA by compro01 · · Score: 4, Insightful

    And whatever happened to "ignorance of the law is no excuse"? One would think that should be doubly so for large corporations with legal departments to tell them what is and isn't legal.

    --
    upon the advice of my lawyer, i have no sig at this time
  13. But you don't believe in imaginary property... by Anonymous Coward · · Score: 1, Insightful

    ...which means that your personal data is a free-for-all.

    Meanwhile, in the civilised EU, we have data protection laws, which effectively come down to owning your own personally identifiable information (including your likeness e.g. in France) and having strict control over what firms may do with your data, with measures detailing how they're held liable if they fuck up.

  14. Re:RTFA by ConceptJunkie · · Score: 4, Insightful

    You're assuming large corporations are actually subject to the law.

    --
    You are in a maze of twisty little passages, all alike.
  15. Re:Another older guy loses his capacity for outrag by evilviper · · Score: 2, Insightful

    No one gives you a medal for doing the right thing,

    So tell me, what DO they give you medals for?
    --
    Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
  16. Re:One store by jamstar7 · · Score: 3, Insightful

    TJX not only kept CC numbers long after they had any use for the information, they also kept transactional CC data that was not supposed to be kept after a transaction was done.

    Um, isn't this what the US government wants done with the new regulations? As well as sharing this info with the gov, of course...

    --
    Understanding the scope of the problem is the first step on the path to true panic.
  17. Re:Another older guy loses his capacity for outrag by Kingrames · · Score: 2, Insightful

    What is right is almost never easy.
    If it were it wouldn't be something worth mentioning.

    --
    If you can read this, I forgot to post anonymously.
  18. Re:I was about to say... by Anonymous+Brave+Guy · · Score: 2, Insightful

    The problem is when they take the third dollar from your two-dollar account, you default on the "bad debt", and then you can't get a mortgage for several years because you're a "credit risk".

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  19. Re:RTFA by geekoid · · Score: 2, Insightful

    He could have posted from different places, and they wouldn't have been able to do squat...hell, even using a friends computer would probably be enough.

    It also makes me wonder what laws TJX may have broken trying to get that information.

    --
    The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect