Slashdot Mirror

← Back to Stories (view on slashdot.org)

TJX Fires Employee For Disclosing Vulnerability

Posted by kdawson on from the shoulda-used-wikileaks dept.

I Don't Believe in Imaginary Property writes "A TJX employee was fired for an online post mentioning that TJX hasn't beefed up security after the recent, massive data breach that saw 94 million credit card numbers copied by criminals and money from their accounts stolen. The employee mentioned that, at first, their usernames were the same as their passwords. After they required stronger passwords, some managers complained, so they 'compromised' by allowing blank passwords. The whistleblower said he discussed his concerns with management, but that it was like talking to a brick wall. In spite of the weak internal security, TJX now has a firm that scours the internet to find bad things posted about them, which is how they found the message and fired him for it. Too bad they don't appear to have hired anyone to beef up operational security or to convince people to use strong passwords."

19 of 217 comments (clear)

  1. um duh by Brian+Gordon · · Score: 3, Insightful

    If you non-anonymously whistleblow on your own company what do you expect..

    1. Re:um duh by gnosi · · Score: 5, Insightful

      Have they not learned from the others that have gone on before them. It is not the original error that will get you, but how you cover up your error that does.

      Anyone remember Nixon... and a few others.

      -- sig.com not found post halted

  2. Sad State of Affairs by PacketScan · · Score: 3, Insightful

    Sadly this is business as a whole. They would rather spend a little after the fact to defend rather than spend just a few dollars to beef up security before a problem occurs. Management is completely inept most times when it comes to security concerns.

    1. Re:Sad State of Affairs by Anonymous Coward · · Score: 5, Insightful

      What security people don't understand is that good security can be very, very, VERY expensive. Far more expensive than some simple PR. I'm not just talking about the up-front cost of doing security right in the first place, but the less noticeable costs of user training, user re-training, tech support, lost productivity (senior manager forgot his admin password), and the cost of letting people go who are very valuable and good at their jobs but too stupid to follow the proper security protocols.

      Good managers understand this and realize that spending that much money on protecting something that's really not very important to the company (customer identities) is just not good business. Until people start hearing on the nightly news that "TJMaxx gave your credit information to terrorists who used it to buy nuclear weapons and assassinate Jesus," the negative publicity they'll suffer is negligible.

    2. Re:Sad State of Affairs by Tom · · Score: 3, Insightful

      What security people don't understand is that good security can be very, very, VERY expensive. Maybe. But the point here wasn't about good security it was about minimum security.

      Good security can be expensive. But adequate security is fairly cheap. "password == username" and "blank password" are essentially equal to "no password". Having any password at all, even if it's weak from the POV of a security expert (say, a word from the dictionary) is still a whole lot better than having no password. And it's not very expensive. A billion people in millions of companies manage to remember their login password from monday through friday, and sometimes even over the weekend. I'm sure with just a little training, TJX managers would be able to do that, too.
      --
      Assorted stuff I do sometimes: Lemuria.org
  3. Another 23 year old realizes that McJobs suck by elrous0 · · Score: 3, Insightful

    Seriously, what did he expect, that a lazy corporation was going to reform its security policies because a 23-year-old hourly employee complained anonymously on a blog? And what did he think they were going to do when they caught him, give him a raise and a promise to change their cheap lazy ways?

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
  4. Good for him by sleekware · · Score: 3, Insightful

    I don't blame him at all. There is far too much incompetence out there regarding data security. I am lucky to work for a company that listens, but I have quite a few friends who work for companies that don't seem to give a damn. It's a shame.

  5. I think there are laws. . . by JSBiff · · Score: 4, Insightful

    To protect whistleblowers, aren't there? Although, that might only be in the government, and maybe government contractors. Not sure if it extends to the private sector.

    The thing I'm puzzled about is, I thought that the electronic payment networks (MasterCard, Visa, Discover, Amex, etc) had very specific requirements for data security, including audits, which filter down to merchants (I realize that merchants don't generally do business directly with the networks [unless, maybe, they're Walmart or Sears], and instead go through intermediate companies that 'resell' the network services, but I thought the security requirements, and audit regimen, bubble down through the whole hierarchy?)

    1. Re:I think there are laws. . . by kmahan · · Score: 4, Insightful

      And who would the "proper authority" be in this case? His management doesn't care.

      Apparently PCI Compliance doesn't allow for input from the "little people" -- or would someone care to post a link that allows for submitting information to them?

      --
      Invalid Checksum. Retrying.
    2. Re:I think there are laws. . . by TubeSteak · · Score: 3, Insightful

      The whistleblower protection laws in the USA protect an employee from termination for reporting the employer acting illegally. Yea and construction workers can legally refuse to work on an unsafe site.
      Neither set of laws will keep you from getting fired for coming back from lunch 3 minutes late.

      If your company wants a reason to fire you, unless you're perfect, they'll find one.
      --
      [Fuck Beta]
      o0t!
    3. Re:I think there are laws. . . by Pepebuho · · Score: 4, Insightful
      I am not a lawyer, but I think there might be some way to tie Sarbanes-Oaxley into this.
      As a Public Company, TJX is subject to Sarbanes Oaxley.

      Section 302 demands the certification of Internal Control on Financial data. With such shoddy password system I fail to see how they can comply with it.
      Section 404 demands management to assess risk and solve it
      Section 802 accrues criminal penalties for violations to Sarbanes Oaxley and (TADAM!!!)
      Section 1107 accrues criminal penalties for retaliations against whistleblowers.

      I think this guy should get hold of Section 1107 and run it for all it is worth!!!!

      From Wikipedia:
      http://en.wikipedia.org/wiki/Sarbanes-Oxley_Act

      Section 1107 of the SOX 18 U.S.C. 1513(e) states:[23]

      " Whoever knowingly, with the intent to retaliate, takes any action harmful to any person, including interference with the lawful employment or livelihood of any person, for providing to a law enforcement officer any truthful information relating to the commission or possible commission of any federal offence, shall be fined under this title, imprisoned not more than 10 years, or both. I am not sure if posting to a blog could be construed as "providing to a law enforcement officer any truthful information bla bla bla", but I think this is his best shot.

      My 2 cents
  6. Re:Another older guy loses his capacity for outrag by elrous0 · · Score: 5, Insightful

    Being a whistleblower means sacrifice. No one gives you a medal for doing the right thing, nor should you expect anything but scorn.

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
  7. Re:Another older guy loses his capacity for outrag by compro01 · · Score: 4, Insightful

    Yes, things currently work that way. Things shouldn't work that way.

    --
    upon the advice of my lawyer, i have no sig at this time
  8. Re:Another older guy loses his capacity for outrag by spun · · Score: 4, Insightful

    Assuming this is how things actually are, what makes you think this kid expected anything different? Where do you see him begging for a medal?

    But it really sounds like you are going further, saying that not only is this how things are, but how they ought to be. It really sounds like you are coming down on the guy for doing the right thing.

    Or maybe you are trying to say that everyone should be as cynical as you are? Maybe you believe that we should all expect to get fucked over for doing the right thing, and anyone who doesn't expect that is an idiot who deserves what they got.

    Please clarify, do you think this guy got the treatment he deserves? Should we not be outraged here? I'm confused as to your motives for posting what you originally did.

    --
    - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
  9. Re:RTFA by immcintosh · · Score: 5, Insightful

    If there's anybody he can sue, it would only be his ISP for divulging his information without his permission and also without a warrant. While the company was certainly out of line in the lengths they went through to accomplish this, there's nothing ILLEGAL about discovering an internet persona's true identity. They were perfectly free to ask all the questions they did. Whether the ISP had any right to divulge that information is another matter I don't really care to guess on.

  10. Re:RTFA by mwvdlee · · Score: 5, Insightful

    Asking somebody to break the law can be illegal too, depending on the exact details.
    Trouble is, due to their own well-documented incompetence in security, they'd have a pretty good chance to claim they simply didn't know it was illegal.

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  11. Re:RTFA by compro01 · · Score: 4, Insightful

    And whatever happened to "ignorance of the law is no excuse"? One would think that should be doubly so for large corporations with legal departments to tell them what is and isn't legal.

    --
    upon the advice of my lawyer, i have no sig at this time
  12. Re:RTFA by ConceptJunkie · · Score: 4, Insightful

    You're assuming large corporations are actually subject to the law.

    --
    You are in a maze of twisty little passages, all alike.
  13. Re:One store by jamstar7 · · Score: 3, Insightful

    TJX not only kept CC numbers long after they had any use for the information, they also kept transactional CC data that was not supposed to be kept after a transaction was done.

    Um, isn't this what the US government wants done with the new regulations? As well as sharing this info with the gov, of course...

    --
    Understanding the scope of the problem is the first step on the path to true panic.