Slashdot Mirror

← Back to Stories (view on slashdot.org)

TJX Fires Employee For Disclosing Vulnerability

Posted by kdawson on from the shoulda-used-wikileaks dept.

I Don't Believe in Imaginary Property writes "A TJX employee was fired for an online post mentioning that TJX hasn't beefed up security after the recent, massive data breach that saw 94 million credit card numbers copied by criminals and money from their accounts stolen. The employee mentioned that, at first, their usernames were the same as their passwords. After they required stronger passwords, some managers complained, so they 'compromised' by allowing blank passwords. The whistleblower said he discussed his concerns with management, but that it was like talking to a brick wall. In spite of the weak internal security, TJX now has a firm that scours the internet to find bad things posted about them, which is how they found the message and fired him for it. Too bad they don't appear to have hired anyone to beef up operational security or to convince people to use strong passwords."

6 of 217 comments (clear)

  1. Does the CEO condone this firing act? by ee_smajors · · Score: 4, Interesting

    This guy should be promoted to CIO for the company and given carte blanc to clean house on the asshole who did not deal with the original issue. Until I hear that this guy is justly treated, we will not ever spend another penny in TJX stores. Enough of us and the CEO will be looking for a new job.

  2. Another older guy loses his capacity for outrage by spun · · Score: 5, Interesting

    Hey, yeah, what was this guy thinking, doing the right thing in spite of the risks? He deserved to get screwed over, right? Everyone just play along, don't rock the boat, do what you're told, and shut the hell up. Thanks so much for sharing your sage wisdom and mature outlook.

    Maybe he expected exactly what happened and blew the whistle anyway. So, wise elder, what would you have done?

    --
    - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
  3. Re:RTFA by moxley · · Score: 4, Interesting

    However they found out who he was it can't have been legal.

    He should fixate on this and sue them.

  4. Re:Sad State of Affairs by AB3A · · Score: 5, Interesting

    Very expensive? Compared to what? Going out of business?

    What if your bank decided that those pesky safe deposit boxes would be a whole lot cheaper if only they could use unlocked filing cabinets instead. Would you still want to do business with them?

    The sad state of affairs here is that the problem doesn't become apparent until someone gets hacked.

    I think a firm that has a security breech ought to be forced to make restitution to the customers. Managers may not understand security, but they will understand lawsuits and damages.

    Only once you've rubbed a manager's nose in the problem can you expect a solution. We don't HAVE to address everything, but managers should at least be aware of the risks they're taking.

    It's a telling point that they've chosen to persecute instead of promote the person who exposed the flaws. These idiots would rather hide in the corner than address the risks up front.

    --
    Nearly fifty percent of all graduates come from the bottom half of the class!
  5. Re:Another 23 year old realizes that McJobs suck by pla · · Score: 5, Interesting

    Seriously, what did he expect, that a lazy corporation was going to reform its security policies because a 23-year-old hourly employee complained anonymously on a blog?

    If they had any integrity - Yes, that sounds like the best possible outcome of this.

    Think about it - The CIO didn't say "okay, after a major data breach, go ahead and keep using pathetic passwords". The order came down from On High to use secure passwords. This proved inconvenient to hundreds of piddling middle-managers, who ordered "their" IT guys to find a way around all that nasty security. The local IT guys complied, by allowing blank passwords (Corporate probably never expected anything that stupid, and so didn't have a policy stating otherwise).

    So, sometime later, Corporate discovers what has happened, and it enrages them. They meet, discuss, take aim, and fire...

    ...At their own foot.


    And what did he think they were going to do when they caught him, give him a raise and a promise to change their cheap lazy ways?

    They could have addressed the problem and rewarded the child who dared to laugh at the naked emperor. By chosing not to, they have very effectively told me they care more about appearances than the security of my credit card data. As a result, I will no longer shop there.

  6. Re:RTFA by Zero__Kelvin · · Score: 4, Interesting
    It seems likely to me that he is protected by the Whistle Blower Law, since he posted to the thread:

    News and Links

    If you have some interesting news or want to throw up a link to discuss it, here's the place. Anything is okay, even shameless vendor launches (since that is often applicable to what we work on).
    He tried to resolve it internally, and when the internal approach failed, he posted it to a news portion of the sla.ckers.org website.

    I concede that IANAL, so of course, I could be wrong, however the courts have already ruled that blogs and other web based news sites qualify under protections provided to the media.
    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun