Slashdot Mirror

← Back to Stories (view on slashdot.org)

TJX Fires Employee For Disclosing Vulnerability

Posted by kdawson on from the shoulda-used-wikileaks dept.

I Don't Believe in Imaginary Property writes "A TJX employee was fired for an online post mentioning that TJX hasn't beefed up security after the recent, massive data breach that saw 94 million credit card numbers copied by criminals and money from their accounts stolen. The employee mentioned that, at first, their usernames were the same as their passwords. After they required stronger passwords, some managers complained, so they 'compromised' by allowing blank passwords. The whistleblower said he discussed his concerns with management, but that it was like talking to a brick wall. In spite of the weak internal security, TJX now has a firm that scours the internet to find bad things posted about them, which is how they found the message and fired him for it. Too bad they don't appear to have hired anyone to beef up operational security or to convince people to use strong passwords."

12 of 217 comments (clear)

  1. Re:um duh by gnosi · · Score: 5, Insightful

    Have they not learned from the others that have gone on before them. It is not the original error that will get you, but how you cover up your error that does.

    Anyone remember Nixon... and a few others.

    -- sig.com not found post halted

  2. I think there are laws. . . by JSBiff · · Score: 4, Insightful

    To protect whistleblowers, aren't there? Although, that might only be in the government, and maybe government contractors. Not sure if it extends to the private sector.

    The thing I'm puzzled about is, I thought that the electronic payment networks (MasterCard, Visa, Discover, Amex, etc) had very specific requirements for data security, including audits, which filter down to merchants (I realize that merchants don't generally do business directly with the networks [unless, maybe, they're Walmart or Sears], and instead go through intermediate companies that 'resell' the network services, but I thought the security requirements, and audit regimen, bubble down through the whole hierarchy?)

    1. Re:I think there are laws. . . by kmahan · · Score: 4, Insightful

      And who would the "proper authority" be in this case? His management doesn't care.

      Apparently PCI Compliance doesn't allow for input from the "little people" -- or would someone care to post a link that allows for submitting information to them?

      --
      Invalid Checksum. Retrying.
    2. Re:I think there are laws. . . by Pepebuho · · Score: 4, Insightful
      I am not a lawyer, but I think there might be some way to tie Sarbanes-Oaxley into this.
      As a Public Company, TJX is subject to Sarbanes Oaxley.

      Section 302 demands the certification of Internal Control on Financial data. With such shoddy password system I fail to see how they can comply with it.
      Section 404 demands management to assess risk and solve it
      Section 802 accrues criminal penalties for violations to Sarbanes Oaxley and (TADAM!!!)
      Section 1107 accrues criminal penalties for retaliations against whistleblowers.

      I think this guy should get hold of Section 1107 and run it for all it is worth!!!!

      From Wikipedia:
      http://en.wikipedia.org/wiki/Sarbanes-Oxley_Act

      Section 1107 of the SOX 18 U.S.C. 1513(e) states:[23]

      " Whoever knowingly, with the intent to retaliate, takes any action harmful to any person, including interference with the lawful employment or livelihood of any person, for providing to a law enforcement officer any truthful information relating to the commission or possible commission of any federal offence, shall be fined under this title, imprisoned not more than 10 years, or both. I am not sure if posting to a blog could be construed as "providing to a law enforcement officer any truthful information bla bla bla", but I think this is his best shot.

      My 2 cents
  3. Re:Another older guy loses his capacity for outrag by elrous0 · · Score: 5, Insightful

    Being a whistleblower means sacrifice. No one gives you a medal for doing the right thing, nor should you expect anything but scorn.

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
  4. Re:Another older guy loses his capacity for outrag by compro01 · · Score: 4, Insightful

    Yes, things currently work that way. Things shouldn't work that way.

    --
    upon the advice of my lawyer, i have no sig at this time
  5. Re:Another older guy loses his capacity for outrag by spun · · Score: 4, Insightful

    Assuming this is how things actually are, what makes you think this kid expected anything different? Where do you see him begging for a medal?

    But it really sounds like you are going further, saying that not only is this how things are, but how they ought to be. It really sounds like you are coming down on the guy for doing the right thing.

    Or maybe you are trying to say that everyone should be as cynical as you are? Maybe you believe that we should all expect to get fucked over for doing the right thing, and anyone who doesn't expect that is an idiot who deserves what they got.

    Please clarify, do you think this guy got the treatment he deserves? Should we not be outraged here? I'm confused as to your motives for posting what you originally did.

    --
    - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
  6. Re:Sad State of Affairs by Anonymous Coward · · Score: 5, Insightful

    What security people don't understand is that good security can be very, very, VERY expensive. Far more expensive than some simple PR. I'm not just talking about the up-front cost of doing security right in the first place, but the less noticeable costs of user training, user re-training, tech support, lost productivity (senior manager forgot his admin password), and the cost of letting people go who are very valuable and good at their jobs but too stupid to follow the proper security protocols.

    Good managers understand this and realize that spending that much money on protecting something that's really not very important to the company (customer identities) is just not good business. Until people start hearing on the nightly news that "TJMaxx gave your credit information to terrorists who used it to buy nuclear weapons and assassinate Jesus," the negative publicity they'll suffer is negligible.

  7. Re:RTFA by immcintosh · · Score: 5, Insightful

    If there's anybody he can sue, it would only be his ISP for divulging his information without his permission and also without a warrant. While the company was certainly out of line in the lengths they went through to accomplish this, there's nothing ILLEGAL about discovering an internet persona's true identity. They were perfectly free to ask all the questions they did. Whether the ISP had any right to divulge that information is another matter I don't really care to guess on.

  8. Re:RTFA by mwvdlee · · Score: 5, Insightful

    Asking somebody to break the law can be illegal too, depending on the exact details.
    Trouble is, due to their own well-documented incompetence in security, they'd have a pretty good chance to claim they simply didn't know it was illegal.

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  9. Re:RTFA by compro01 · · Score: 4, Insightful

    And whatever happened to "ignorance of the law is no excuse"? One would think that should be doubly so for large corporations with legal departments to tell them what is and isn't legal.

    --
    upon the advice of my lawyer, i have no sig at this time
  10. Re:RTFA by ConceptJunkie · · Score: 4, Insightful

    You're assuming large corporations are actually subject to the law.

    --
    You are in a maze of twisty little passages, all alike.