Slashdot Mirror

← Back to Stories (view on slashdot.org)

TJX Fires Employee For Disclosing Vulnerability

Posted by kdawson on from the shoulda-used-wikileaks dept.

I Don't Believe in Imaginary Property writes "A TJX employee was fired for an online post mentioning that TJX hasn't beefed up security after the recent, massive data breach that saw 94 million credit card numbers copied by criminals and money from their accounts stolen. The employee mentioned that, at first, their usernames were the same as their passwords. After they required stronger passwords, some managers complained, so they 'compromised' by allowing blank passwords. The whistleblower said he discussed his concerns with management, but that it was like talking to a brick wall. In spite of the weak internal security, TJX now has a firm that scours the internet to find bad things posted about them, which is how they found the message and fired him for it. Too bad they don't appear to have hired anyone to beef up operational security or to convince people to use strong passwords."

5 of 217 comments (clear)

  1. Re:um duh by gnosi · · Score: 5, Insightful

    Have they not learned from the others that have gone on before them. It is not the original error that will get you, but how you cover up your error that does.

    Anyone remember Nixon... and a few others.

    -- sig.com not found post halted

  2. Re:Another older guy loses his capacity for outrag by elrous0 · · Score: 5, Insightful

    Being a whistleblower means sacrifice. No one gives you a medal for doing the right thing, nor should you expect anything but scorn.

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
  3. Re:Sad State of Affairs by Anonymous Coward · · Score: 5, Insightful

    What security people don't understand is that good security can be very, very, VERY expensive. Far more expensive than some simple PR. I'm not just talking about the up-front cost of doing security right in the first place, but the less noticeable costs of user training, user re-training, tech support, lost productivity (senior manager forgot his admin password), and the cost of letting people go who are very valuable and good at their jobs but too stupid to follow the proper security protocols.

    Good managers understand this and realize that spending that much money on protecting something that's really not very important to the company (customer identities) is just not good business. Until people start hearing on the nightly news that "TJMaxx gave your credit information to terrorists who used it to buy nuclear weapons and assassinate Jesus," the negative publicity they'll suffer is negligible.

  4. Re:RTFA by immcintosh · · Score: 5, Insightful

    If there's anybody he can sue, it would only be his ISP for divulging his information without his permission and also without a warrant. While the company was certainly out of line in the lengths they went through to accomplish this, there's nothing ILLEGAL about discovering an internet persona's true identity. They were perfectly free to ask all the questions they did. Whether the ISP had any right to divulge that information is another matter I don't really care to guess on.

  5. Re:RTFA by mwvdlee · · Score: 5, Insightful

    Asking somebody to break the law can be illegal too, depending on the exact details.
    Trouble is, due to their own well-documented incompetence in security, they'd have a pretty good chance to claim they simply didn't know it was illegal.

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?