Slashdot Mirror

← Back to Stories (view on slashdot.org)

TJX Fires Employee For Disclosing Vulnerability

Posted by kdawson on from the shoulda-used-wikileaks dept.

I Don't Believe in Imaginary Property writes "A TJX employee was fired for an online post mentioning that TJX hasn't beefed up security after the recent, massive data breach that saw 94 million credit card numbers copied by criminals and money from their accounts stolen. The employee mentioned that, at first, their usernames were the same as their passwords. After they required stronger passwords, some managers complained, so they 'compromised' by allowing blank passwords. The whistleblower said he discussed his concerns with management, but that it was like talking to a brick wall. In spite of the weak internal security, TJX now has a firm that scours the internet to find bad things posted about them, which is how they found the message and fired him for it. Too bad they don't appear to have hired anyone to beef up operational security or to convince people to use strong passwords."

24 of 217 comments (clear)

  1. ah well by pak9rabid · · Score: 2, Interesting

    Sounds like they were a shitty company anyways. I'm sure he'll be better off w/another company.

  2. Does the CEO condone this firing act? by ee_smajors · · Score: 4, Interesting

    This guy should be promoted to CIO for the company and given carte blanc to clean house on the asshole who did not deal with the original issue. Until I hear that this guy is justly treated, we will not ever spend another penny in TJX stores. Enough of us and the CEO will be looking for a new job.

  3. Re:Sad State of Affairs by Anonymous Coward · · Score: 3, Interesting

    If the cost of implementing security is greater than the estimated cost of lawsuits due to bad security, a company will not spend the money for better security. This is the same logic the blood banks used for AIDS testing of their blood (until the rhs eventually was greater than the lhs) and this is the same logic that automakers use for defects.

  4. Another older guy loses his capacity for outrage by spun · · Score: 5, Interesting

    Hey, yeah, what was this guy thinking, doing the right thing in spite of the risks? He deserved to get screwed over, right? Everyone just play along, don't rock the boat, do what you're told, and shut the hell up. Thanks so much for sharing your sage wisdom and mature outlook.

    Maybe he expected exactly what happened and blew the whistle anyway. So, wise elder, what would you have done?

    --
    - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
  5. Re:RTFA by moxley · · Score: 4, Interesting

    However they found out who he was it can't have been legal.

    He should fixate on this and sue them.

  6. Since when? by MrNougat · · Score: 3, Interesting

    Since when is "allowing blank passwords" a compromise, and not stupid?

    --
    Web 2.0 == Giant Blogspam Circle Jerk
  7. The word "further" bothers me.. by cheros · · Score: 2, Interesting

    ..given past record "further" is exactly NOT where they ought to be heading :-).

    --
    Insert .sig here. Send no money now. Owner may sue, contents will settle. Batteries not included.
  8. Re:RTFA by robot_lords_of_tokyo · · Score: 2, Interesting

    Are there any blanket consumer protection laws with regards to what information a provider can release to a third party? I always thought that it was completely at the discretion of the provider as to what information they can disclose, and for what reason. I hope I'm wrong.

  9. Re:Sad State of Affairs by AB3A · · Score: 5, Interesting

    Very expensive? Compared to what? Going out of business?

    What if your bank decided that those pesky safe deposit boxes would be a whole lot cheaper if only they could use unlocked filing cabinets instead. Would you still want to do business with them?

    The sad state of affairs here is that the problem doesn't become apparent until someone gets hacked.

    I think a firm that has a security breech ought to be forced to make restitution to the customers. Managers may not understand security, but they will understand lawsuits and damages.

    Only once you've rubbed a manager's nose in the problem can you expect a solution. We don't HAVE to address everything, but managers should at least be aware of the risks they're taking.

    It's a telling point that they've chosen to persecute instead of promote the person who exposed the flaws. These idiots would rather hide in the corner than address the risks up front.

    --
    Nearly fifty percent of all graduates come from the bottom half of the class!
  10. Re:One store by Anonymous Coward · · Score: 2, Interesting

    Yes, but IF I remember correctly the original breach occurred because of both physical and logical security control deficiencies at individual stores. This directly lead to the compromise of systems at the headquarters, and, ultimately, customer information.

    As a full-time security professional and penetration tester that deals with companies in this situation everyday I can almost guarantee you that given their history and apparent mind-set towards security, almost anyone at a "script kiddie" level would be able to get to systems at the headquarters (depending on network architecture).

    Now the question is, knowing all this, what is your comfort level around TJX's ability to secure servers at their primary facility... mine is zero.

  11. Re:Another 23 year old realizes that McJobs suck by pla · · Score: 5, Interesting

    Seriously, what did he expect, that a lazy corporation was going to reform its security policies because a 23-year-old hourly employee complained anonymously on a blog?

    If they had any integrity - Yes, that sounds like the best possible outcome of this.

    Think about it - The CIO didn't say "okay, after a major data breach, go ahead and keep using pathetic passwords". The order came down from On High to use secure passwords. This proved inconvenient to hundreds of piddling middle-managers, who ordered "their" IT guys to find a way around all that nasty security. The local IT guys complied, by allowing blank passwords (Corporate probably never expected anything that stupid, and so didn't have a policy stating otherwise).

    So, sometime later, Corporate discovers what has happened, and it enrages them. They meet, discuss, take aim, and fire...

    ...At their own foot.


    And what did he think they were going to do when they caught him, give him a raise and a promise to change their cheap lazy ways?

    They could have addressed the problem and rewarded the child who dared to laugh at the naked emperor. By chosing not to, they have very effectively told me they care more about appearances than the security of my credit card data. As a result, I will no longer shop there.

  12. Re:RTFA by frank_adrian314159 · · Score: 3, Interesting
    Oddly enough, even though ignorance of the law is not an excuse, it can be a mitigating factor. If you get caught, you're more likely to get a reduced sentence if what you are charged with is not obviously illegal. If you check and find out an action is illegal and then get caught, you're more likely to get the book thrown at you. It's sort like patent infringement. If you do a search, find a device/process you're infringing upon, and use it anyway, it's willful infringement and the patent holder can get triple damages; if you don't know it's infringement, you only get normal damages. As such, managers are advised to ask about legality sparingly.

    P.S. I am not an attorney. Do not take this as valid legal advice.

    --
    That is all.
  13. Re:um duh by iminplaya · · Score: 2, Interesting

    Anyone remember Nixon...

    How can we forget? We're still living under his legacy.

    What this guy should have done was to mail a letter to wikileaks. The post office still has some very strong privacy protections built in. Certainly better than any of your ISPs.

    --
    What?
  14. Re:I think there are laws. . . by colinbrash · · Score: 2, Interesting

    And who would the "proper authority" be in this case? His management doesn't care. That would be the point. There isn't a "proper authority" because the company isn't doing anything illegal. If, on the other hand, the company is doing something illegal, surely the "proper authority" would be fairly clear? I'm not sure why everyone seems to be defending this guy and jumping on the "whistleblower" bandwagon. How can you expect to post sensitive security details about your company to an internet forum and not lose your job? Regardless of how dumb the company is, this employee isn't the brightest either if he expected -- and wanted -- to keep his job.
  15. Re:RTFA by Zero__Kelvin · · Score: 4, Interesting
    It seems likely to me that he is protected by the Whistle Blower Law, since he posted to the thread:

    News and Links

    If you have some interesting news or want to throw up a link to discuss it, here's the place. Anything is okay, even shameless vendor launches (since that is often applicable to what we work on).
    He tried to resolve it internally, and when the internal approach failed, he posted it to a news portion of the sla.ckers.org website.

    I concede that IANAL, so of course, I could be wrong, however the courts have already ruled that blogs and other web based news sites qualify under protections provided to the media.
    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  16. Not surprising by Anonymous Coward · · Score: 1, Interesting

    This is the typical corporate bull, I remember when I worked for Safeway and they first installed self checkouts and every night you had to print credit card signatures which included every single person's full credit card number along with their signature. Even worse is managers would set the things to print and just walk off. These were not printed in a back room but on the actual check stands making it possible for anybody to just walk up and grab a set pile of peoples credit card information. Luckily Safeway fixed this problem but it took them a good 6 months to get around to it.

  17. We, your former customers, want security from you. by LostCluster · · Score: 2, Interesting

    TJX just doesn't get it. They hired a team to look for insider negative postings, and considered that an increase in security. They consider the negative poster a rouge insider... but they can't seem to track down who was at fault for the massive breach that they suffered from. That's the person we really want fired.

    What we, the people who used to shop at TJ Maxx, Marshalls, AJ Wright, HomeGoods, and Bob's Stores, are looking to see is that they can finally claim that they increased their security (using the same standards we expect on the web) so that nobody can intercept what we show the cashier, our credit card stripe data and signature, on its way to the credit card processing company they're using. Good encryption is freely available, great would be hearing that they hired a company that cares about it.

    They're thinking about what directly impacts the bottom line (profits) while forgetting that what upsets the customers will directly impact the top line (sales) that will impact that bottom line too.

  18. Re:I was about to say... by LostCluster · · Score: 3, Interesting

    TJX is a range of store brands listed here.

  19. Re:Another 23 year old realizes that McJobs suck by Beryllium+Sphere(tm) · · Score: 2, Interesting

    >>And what did he think they were going to do when they caught him, give him a raise and a promise to change their cheap lazy ways?

    >They could have addressed the problem and rewarded the child who dared to laugh at the naked emperor.

    Punishing employees who let you know about problems is like disconnecting your smoke detector. Some of the big security policy frameworks call for a policy statement that *requires* reporting of security problems. If TJX had been my client, they would have been advised to go one step beyond that to encourage bug reports.

  20. here are the stores you should avoid by museumpeace · · Score: 2, Interesting

    http://www.tjx.com/employment/life_brands.html I don't know who paid for it but I have had new credit cards issued not because I asked for them...kinda messed up my cookies for on line purchases. These guys suck.

    --
    SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
  21. Passwords are easy , there is no excuse. by geekoid · · Score: 2, Interesting

    Forexample:
    BIG_b00bs_a how hard is that to remember?
    another
    P4ssw0rd5_suck_m3_0ff

    Another:
    ROY_G_B1V_aa

    Jeez, there really isn't any excuse. I think they called this PAL in the Military.
    How about the first few letters from the first words in a song or poem?
    from Mary had a little lamb:
    Mhallwfwwas&wmw12

    or another
    IXdKKaspdd_10

    This can't remember password BS really annoys me.
    Add to the fact that any computer system to day should lock down the computer after3 attempts..ah hell lets make it 5 attempts should prevent a brute force or dictionary attack from happens so changing your password isn't really that necessary any more, it's a hold out from 25 years ago when you could only have 8 characters, and there wasn't any lockout.
    Since most people who implement security do not understand security and could do risk analysis if their life depended on it, I'm not surprised at the state of affairs in computer security.

    And before someone who thinks they know what they are doing corrects me, yes, I do know there are some systems that need tighter security, like missile Codes. Having handled them I know a thing or 4 about them. I am talking about security for 99.99% of everyone else.

    --
    The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
  22. Re:I think there are laws. . . by geekoid · · Score: 3, Interesting

    true, but when you show up to court, there going to be looked at real carefully.
    Has anyone else been 3 minutes late and not fired? what does your policy say?

    The courts are suspicious of those kind of amazing coincidence.

    Even if you are 'perfect' they can find one, no doubt. That doesn't mean you don't have recourse.

    --
    The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
  23. Re:RTFA by RockDoctor · · Score: 2, Interesting

    Trouble is, due to their own well-documented incompetence in security, they'd have a pretty good chance to claim they simply didn't know it was illegal.
    Do TJX (whoever they are) have any divisions outside America, so that I know who to avoid?
    --
    Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
  24. Re:Sad State of Affairs by Dog-Cow · · Score: 3, Interesting

    Anybody in a company that doesn't thinking their data is valuable, should be sent walking, immediately. I bet TJX takes the security of their data VERY seriously. But what was leaked was your data. That's not important.