Slashdot Mirror

← Back to Stories (view on slashdot.org)

TJX Fires Employee For Disclosing Vulnerability

Posted by kdawson on from the shoulda-used-wikileaks dept.

I Don't Believe in Imaginary Property writes "A TJX employee was fired for an online post mentioning that TJX hasn't beefed up security after the recent, massive data breach that saw 94 million credit card numbers copied by criminals and money from their accounts stolen. The employee mentioned that, at first, their usernames were the same as their passwords. After they required stronger passwords, some managers complained, so they 'compromised' by allowing blank passwords. The whistleblower said he discussed his concerns with management, but that it was like talking to a brick wall. In spite of the weak internal security, TJX now has a firm that scours the internet to find bad things posted about them, which is how they found the message and fired him for it. Too bad they don't appear to have hired anyone to beef up operational security or to convince people to use strong passwords."

87 of 217 comments (clear)

  1. um duh by Brian+Gordon · · Score: 3, Insightful

    If you non-anonymously whistleblow on your own company what do you expect..

    1. Re:um duh by gnosi · · Score: 5, Insightful

      Have they not learned from the others that have gone on before them. It is not the original error that will get you, but how you cover up your error that does.

      Anyone remember Nixon... and a few others.

      -- sig.com not found post halted

    2. Re:um duh by cyphercell · · Score: 2, Informative

      Here's where the company gets in trouble:

      https://www.pcisecuritystandards.org/tech/

      which is funny, I used to work upgrading old credit card systems for the pci dss, the scuttlebut at the time was that TJX was the REASON for implementing the DSS in the first place. TJX ought to have the Credit Co.s run a train on 'em for this shit.

      --
      Under the influence of Post-Cyberpunk Gonzo Journalism
    3. Re:um duh by iminplaya · · Score: 2, Interesting

      Anyone remember Nixon...

      How can we forget? We're still living under his legacy.

      What this guy should have done was to mail a letter to wikileaks. The post office still has some very strong privacy protections built in. Certainly better than any of your ISPs.

      --
      What?
  2. I was about to say... by vertinox · · Score: 4, Informative

    Who is TJX and how can I avoid doing business with them, but then I realized they were TJ Maxx and Marshall's and I don't do business with them anyways.

    --
    "I am the king of the Romans, and am superior to rules of grammar!"
    -Sigismund, Holy Roman Emperor (1368-1437)
    1. Re:I was about to say... by Anonymous Coward · · Score: 5, Informative

      It doesnt matter if you do not do buisness directly with TJX or whomever you do not like.... if you use a check or a CC when making a purchase odds are it goes through one of a few companies for processing. I used to work for a financial institution that leaked 20+million personal info to the world.... so, did you make any purchases at bestbuy or compusa last year? if so, your name was probably in the lot.

    2. Re:I was about to say... by Anonymous Coward · · Score: 4, Funny

      that's fine--if someone gets my debit card number, they're welcome to both of the dollars in the account

    3. Re:I was about to say... by ksd1337 · · Score: 5, Funny

      My wife once had her credit card stolen (physically stolen). We got the CC bill a week later.

      "Honey, look! The bill's $700 cheaper than last month!"

      Now I go out with her when she decides to buy something.

    4. Re:I was about to say... by Scaba · · Score: 2, Funny

      Yea, everyone around here agrees that she's a pretty good lay.

    5. Re:I was about to say... by Anonymous+Brave+Guy · · Score: 2, Insightful

      The problem is when they take the third dollar from your two-dollar account, you default on the "bad debt", and then you can't get a mortgage for several years because you're a "credit risk".

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    6. Re:I was about to say... by LostCluster · · Score: 3, Interesting

      TJX is a range of store brands listed here.

  3. Sad State of Affairs by PacketScan · · Score: 3, Insightful

    Sadly this is business as a whole. They would rather spend a little after the fact to defend rather than spend just a few dollars to beef up security before a problem occurs. Management is completely inept most times when it comes to security concerns.

    1. Re:Sad State of Affairs by Anonymous Coward · · Score: 3, Interesting

      If the cost of implementing security is greater than the estimated cost of lawsuits due to bad security, a company will not spend the money for better security. This is the same logic the blood banks used for AIDS testing of their blood (until the rhs eventually was greater than the lhs) and this is the same logic that automakers use for defects.

    2. Re:Sad State of Affairs by BSAtHome · · Score: 2, Insightful

      Everything that is The Right Thing(TM) is tech talk and is normally not understood by management. Techs and management speak different languages which often cause them to work against each other. This is sad but true and this story is another example. Management sees the cost in monetary terms (often short term), whereas the tech sees the cost in a much broader sense (often long term). The inherent conflict can be solved, or at least minimized, if you can find an intermediate who can translate between the layers.

    3. Re:Sad State of Affairs by Thelasko · · Score: 2, Insightful

      Sadly this is business as a whole. They would rather spend a little after the fact to defend rather than spend just a few dollars to beef up security before a problem occurs. Management is completely inept most times when it comes to security concerns. Not just security concerns, but any issue. Since their inception, companies have developed policies of less customer service, less security, and an overall goal to screw over the customer. The internet is a means to cure all of those issues because if provides the medium for consumers to organize and retaliate against this tyranny. Unfortunately, instead of improving the overall performance of the company, management chooses to troll forums in attempts to suppress any unfavorable comments about them.

      Corporations, take a lesson from the MPAA and the AACS LA. Once it hits the internet, it's too late!
      --
      One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
    4. Re:Sad State of Affairs by Anonymous Coward · · Score: 5, Insightful

      What security people don't understand is that good security can be very, very, VERY expensive. Far more expensive than some simple PR. I'm not just talking about the up-front cost of doing security right in the first place, but the less noticeable costs of user training, user re-training, tech support, lost productivity (senior manager forgot his admin password), and the cost of letting people go who are very valuable and good at their jobs but too stupid to follow the proper security protocols.

      Good managers understand this and realize that spending that much money on protecting something that's really not very important to the company (customer identities) is just not good business. Until people start hearing on the nightly news that "TJMaxx gave your credit information to terrorists who used it to buy nuclear weapons and assassinate Jesus," the negative publicity they'll suffer is negligible.

    5. Re:Sad State of Affairs by eric76 · · Score: 2, Insightful

      I suspect that the most expensive of all is trying to teach the president of a company that running open wireless routers is a very serious security problem.

      It might be easier to convince an alligator to voluntarily become a vegetarian.

    6. Re:Sad State of Affairs by AB3A · · Score: 5, Interesting

      Very expensive? Compared to what? Going out of business?

      What if your bank decided that those pesky safe deposit boxes would be a whole lot cheaper if only they could use unlocked filing cabinets instead. Would you still want to do business with them?

      The sad state of affairs here is that the problem doesn't become apparent until someone gets hacked.

      I think a firm that has a security breech ought to be forced to make restitution to the customers. Managers may not understand security, but they will understand lawsuits and damages.

      Only once you've rubbed a manager's nose in the problem can you expect a solution. We don't HAVE to address everything, but managers should at least be aware of the risks they're taking.

      It's a telling point that they've chosen to persecute instead of promote the person who exposed the flaws. These idiots would rather hide in the corner than address the risks up front.

      --
      Nearly fifty percent of all graduates come from the bottom half of the class!
    7. Re:Sad State of Affairs by moderatorrater · · Score: 5, Funny

      This has been a struggle for centuries.

      Engineer: "I don't care what you read in 'Feudal Lords Monthly', if you want this castle to be secure, we need 2000 foot tall walls, 700 feet thick with a moat of pure acid that's 200 feet deep."
      Lord: "But I read that this spell of invisibility and Norton(tm) balsa wood framework is just as good. It leads the industry!"

    8. Re:Sad State of Affairs by twiddlingbits · · Score: 2, Insightful

      It doesn't have to get as far as terrorists and nukes if the Credit Card companies would enforce the penalties for non-compliance to the PCI Standard. I know that the credit card processing agreement that my s.o. business has indicates that if your firm is "leaking" card numbers due to inadequate security they can penalize UP TO the removal of your firm priveleges to accept credit cards. Seeing as how many retail stores get 50%+ of their sales from Credit Cards or branded debit cards that would be a big hurt if they had thier acceptance revoked. Just to be clear I've never seen or heard of this credit card death penalty being applied as it would hurt Visa/MC/Amex too as they wouldn't be getting fees on each sale (which can be 3-5%). So penalizing TJX could cost Visa/MC/AMEX a large sum of money. IMHO a better way would be to keep increasing the cut the card companies get when a firm has sucky security until it's gets too expensive NOT to fix the problem.

    9. Re:Sad State of Affairs by Tom · · Score: 3, Insightful

      What security people don't understand is that good security can be very, very, VERY expensive. Maybe. But the point here wasn't about good security it was about minimum security.

      Good security can be expensive. But adequate security is fairly cheap. "password == username" and "blank password" are essentially equal to "no password". Having any password at all, even if it's weak from the POV of a security expert (say, a word from the dictionary) is still a whole lot better than having no password. And it's not very expensive. A billion people in millions of companies manage to remember their login password from monday through friday, and sometimes even over the weekend. I'm sure with just a little training, TJX managers would be able to do that, too.
      --
      Assorted stuff I do sometimes: Lemuria.org
    10. Re:Sad State of Affairs by Dog-Cow · · Score: 3, Interesting

      Anybody in a company that doesn't thinking their data is valuable, should be sent walking, immediately. I bet TJX takes the security of their data VERY seriously. But what was leaked was your data. That's not important.
  4. ah well by pak9rabid · · Score: 2, Interesting

    Sounds like they were a shitty company anyways. I'm sure he'll be better off w/another company.

    1. Re:ah well by ivan256 · · Score: 3, Funny

      Wait... He was an hourly associate in one of their retail outlets?

      McDonalds is always hiring. It'll be a step up for him.

  5. One store by Anonymous Coward · · Score: 4, Informative

    This was a server at one store, not the TJX headquarters where the data is kept.

    1. Re:One store by Anonymous Coward · · Score: 5, Informative

      "This was a server at one store, not the TJX headquarters where the data is kept"

      The original loss of data was caused by weak passwords on wireless routers. War dialers parked outside a store (or stores) captured data that was then used to collect millions of credit card numbers from the HQ servers. One of the problems was that TJX kept CC numbers on file long after they had any use for the information. This is a case where bad security at one store compromised the whole corporation. Sounds like nothing has changed

    2. Re:One store by Anonymous Coward · · Score: 2, Interesting

      Yes, but IF I remember correctly the original breach occurred because of both physical and logical security control deficiencies at individual stores. This directly lead to the compromise of systems at the headquarters, and, ultimately, customer information.

      As a full-time security professional and penetration tester that deals with companies in this situation everyday I can almost guarantee you that given their history and apparent mind-set towards security, almost anyone at a "script kiddie" level would be able to get to systems at the headquarters (depending on network architecture).

      Now the question is, knowing all this, what is your comfort level around TJX's ability to secure servers at their primary facility... mine is zero.

    3. Re:One store by darkmeridian · · Score: 4, Informative

      The war dialers logged into TJX HQ servers and were able to install applications that sniffed network traffic and logged passwords. TJX not only kept CC numbers long after they had any use for the information, they also kept transactional CC data that was not supposed to be kept after a transaction was done.

      --
      A NYC lawyer blogs. http://www.chuangblog.com/
    4. Re:One store by jamstar7 · · Score: 3, Insightful

      TJX not only kept CC numbers long after they had any use for the information, they also kept transactional CC data that was not supposed to be kept after a transaction was done.

      Um, isn't this what the US government wants done with the new regulations? As well as sharing this info with the gov, of course...

      --
      Understanding the scope of the problem is the first step on the path to true panic.
  6. Same happened to me :( by Anonymous Coward · · Score: 5, Funny

    I used the same password as this account, and obviously some people found out about it and have been posting under my username for ages! :(

    1. Re:Same happened to me :( by trolltalk.com · · Score: 5, Funny

      I used the same password as this account, and obviously some people found out about it and have been posting under my username for ages! :(

      That's what you get for using "12345" as your password, Mr. President!

      --
      Kevin Smith on Prince
    2. Re:Same happened to me :( by MooseMuffin · · Score: 3, Funny

      That's amazing! I've got the same combination on my luggage!

    3. Re:Same happened to me :( by eric76 · · Score: 2, Funny

      I wondered how Anonymous Coward could post so many times on every topic imagineable.

      All this time I've thought that it was from one very screwed up person, but now we know it is really from a bunch of people posting with your username and password.

  7. Another 23 year old realizes that McJobs suck by elrous0 · · Score: 3, Insightful

    Seriously, what did he expect, that a lazy corporation was going to reform its security policies because a 23-year-old hourly employee complained anonymously on a blog? And what did he think they were going to do when they caught him, give him a raise and a promise to change their cheap lazy ways?

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
    1. Re:Another 23 year old realizes that McJobs suck by dgatwood · · Score: 2, Informative

      Remember, kids, like TSA Panda says, the appearance of security is more important than actual security.

      BTW, Sarbanes-Oxley has whistleblower protection that may get this company in deep, deep s**t for firing this blogger....

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    2. Re:Another 23 year old realizes that McJobs suck by pla · · Score: 5, Interesting

      Seriously, what did he expect, that a lazy corporation was going to reform its security policies because a 23-year-old hourly employee complained anonymously on a blog?

      If they had any integrity - Yes, that sounds like the best possible outcome of this.

      Think about it - The CIO didn't say "okay, after a major data breach, go ahead and keep using pathetic passwords". The order came down from On High to use secure passwords. This proved inconvenient to hundreds of piddling middle-managers, who ordered "their" IT guys to find a way around all that nasty security. The local IT guys complied, by allowing blank passwords (Corporate probably never expected anything that stupid, and so didn't have a policy stating otherwise).

      So, sometime later, Corporate discovers what has happened, and it enrages them. They meet, discuss, take aim, and fire...

      ...At their own foot.


      And what did he think they were going to do when they caught him, give him a raise and a promise to change their cheap lazy ways?

      They could have addressed the problem and rewarded the child who dared to laugh at the naked emperor. By chosing not to, they have very effectively told me they care more about appearances than the security of my credit card data. As a result, I will no longer shop there.

    3. Re:Another 23 year old realizes that McJobs suck by dgatwood · · Score: 3, Informative

      The heck it didn't. It had to do with a complete lack of security on computer systems that were used in financial transactions. It's hard to keep accurate financial records if key financial systems can be trivially compromised. It also represents a HUGE threat to the financial viability of the company, and technically, failure to include such risks as part of your regular corporate reporting to the SEC is a pretty major case of investor fraud, which was the whole point of Sarbanes-Oxley....

      Sadly, covering up security problems seems to be the norm in banking circles. Really gives you a lot of trust in their ability to guard your money, doesn't it?

      Oh, and here's a similar story from 2005 that also suggests that this is likely SarbOx territory.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    4. Re:Another 23 year old realizes that McJobs suck by Beryllium+Sphere(tm) · · Score: 2, Interesting

      >>And what did he think they were going to do when they caught him, give him a raise and a promise to change their cheap lazy ways?

      >They could have addressed the problem and rewarded the child who dared to laugh at the naked emperor.

      Punishing employees who let you know about problems is like disconnecting your smoke detector. Some of the big security policy frameworks call for a policy statement that *requires* reporting of security problems. If TJX had been my client, they would have been advised to go one step beyond that to encourage bug reports.

  8. RTFA by Anonymous Coward · · Score: 5, Informative

    "So last August, Benson took to Sla.ckers.org, a website dedicated to web application security, and began anonymously reporting the shoddy practices in this user forum."

    1. Re:RTFA by TubeSteak · · Score: 5, Informative

      began anonymously reporting the shoddy practices in this user forum." He was the squeaky wheel at the store, then went online and squeaked some more.
      http://ha.ckers.org/blog/20080522/tjx-whistle-blower/

      They tracked him down by IP (we're still not completely sure how they did this, but we think it may have to do with a DynDNS account he uses), contacted his ISP to find out who he was, brought him into the office, questioned him about what he found, asked for him to write down his thoughts on how to fix the issues and then promptly fired him. Long story short: You aren't anonymous unless you're going through an anonymous overseas proxy or three.
      At least it'll be harder to get your IP from a foreign company.
      --
      [Fuck Beta]
      o0t!
    2. Re:RTFA by moxley · · Score: 4, Interesting

      However they found out who he was it can't have been legal.

      He should fixate on this and sue them.

    3. Re:RTFA by immcintosh · · Score: 5, Insightful

      If there's anybody he can sue, it would only be his ISP for divulging his information without his permission and also without a warrant. While the company was certainly out of line in the lengths they went through to accomplish this, there's nothing ILLEGAL about discovering an internet persona's true identity. They were perfectly free to ask all the questions they did. Whether the ISP had any right to divulge that information is another matter I don't really care to guess on.

    4. Re:RTFA by robot_lords_of_tokyo · · Score: 2, Interesting

      Are there any blanket consumer protection laws with regards to what information a provider can release to a third party? I always thought that it was completely at the discretion of the provider as to what information they can disclose, and for what reason. I hope I'm wrong.

    5. Re:RTFA by conlaw · · Score: 4, Informative

      AFAIK, there is no federal law that would apply in this situation and the only Kansas statute that I could find on whistleblowing applies only to government employees. However, there appear to be a couple of Kansas cases holding that firing someone for whistleblowing is against public policy.

    6. Re:RTFA by mwvdlee · · Score: 5, Insightful

      Asking somebody to break the law can be illegal too, depending on the exact details.
      Trouble is, due to their own well-documented incompetence in security, they'd have a pretty good chance to claim they simply didn't know it was illegal.

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    7. Re:RTFA by compro01 · · Score: 4, Insightful

      And whatever happened to "ignorance of the law is no excuse"? One would think that should be doubly so for large corporations with legal departments to tell them what is and isn't legal.

      --
      upon the advice of my lawyer, i have no sig at this time
    8. Re:RTFA by ConceptJunkie · · Score: 4, Insightful

      You're assuming large corporations are actually subject to the law.

      --
      You are in a maze of twisty little passages, all alike.
    9. Re:RTFA by frank_adrian314159 · · Score: 3, Interesting
      Oddly enough, even though ignorance of the law is not an excuse, it can be a mitigating factor. If you get caught, you're more likely to get a reduced sentence if what you are charged with is not obviously illegal. If you check and find out an action is illegal and then get caught, you're more likely to get the book thrown at you. It's sort like patent infringement. If you do a search, find a device/process you're infringing upon, and use it anyway, it's willful infringement and the patent holder can get triple damages; if you don't know it's infringement, you only get normal damages. As such, managers are advised to ask about legality sparingly.

      P.S. I am not an attorney. Do not take this as valid legal advice.

      --
      That is all.
    10. Re:RTFA by Zero__Kelvin · · Score: 4, Interesting
      It seems likely to me that he is protected by the Whistle Blower Law, since he posted to the thread:

      News and Links

      If you have some interesting news or want to throw up a link to discuss it, here's the place. Anything is okay, even shameless vendor launches (since that is often applicable to what we work on).
      He tried to resolve it internally, and when the internal approach failed, he posted it to a news portion of the sla.ckers.org website.

      I concede that IANAL, so of course, I could be wrong, however the courts have already ruled that blogs and other web based news sites qualify under protections provided to the media.
      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    11. Re:RTFA by geekoid · · Score: 2, Insightful

      He could have posted from different places, and they wouldn't have been able to do squat...hell, even using a friends computer would probably be enough.

      It also makes me wonder what laws TJX may have broken trying to get that information.

      --
      The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
    12. Re:RTFA by RockDoctor · · Score: 2, Interesting

      Trouble is, due to their own well-documented incompetence in security, they'd have a pretty good chance to claim they simply didn't know it was illegal.
      Do TJX (whoever they are) have any divisions outside America, so that I know who to avoid?
      --
      Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
  9. Does the CEO condone this firing act? by ee_smajors · · Score: 4, Interesting

    This guy should be promoted to CIO for the company and given carte blanc to clean house on the asshole who did not deal with the original issue. Until I hear that this guy is justly treated, we will not ever spend another penny in TJX stores. Enough of us and the CEO will be looking for a new job.

    1. Re:Does the CEO condone this firing act? by Kingrames · · Score: 2, Informative

      The problem being that everyone under him will be suffering far more, for far longer, because of a protest like that.

      --
      If you can read this, I forgot to post anonymously.
  10. Weak American Dollar by SlshSuxs · · Score: 5, Funny

    This data is implicitly safe now by the weak American Dollar, it would be like stealing Pesos.

  11. Good for him by sleekware · · Score: 3, Insightful

    I don't blame him at all. There is far too much incompetence out there regarding data security. I am lucky to work for a company that listens, but I have quite a few friends who work for companies that don't seem to give a damn. It's a shame.

    1. Re:Good for him by jamstar7 · · Score: 2, Insightful

      At least you can put on record that you tried to implement more security, and it was rejected, so therefore beyond your control.

      It may be beyond your control, but it'll still be your responsibility if that's the way they wrote up your job description. Plus, it's a good way to get rid of somebody in the IT department. Doesn't matter if you don't have the authority to do the job, you're still stuck with the responsibility to get it done, and complaining to Those On High about said lack of authority will just get you a reputation as a whiner, and thus, the first guy out the door the next time there's a security breach.

      Hey, it's cheaper to ignore any breaches than it is to fix them.

      --
      Understanding the scope of the problem is the first step on the path to true panic.
  12. I think there are laws. . . by JSBiff · · Score: 4, Insightful

    To protect whistleblowers, aren't there? Although, that might only be in the government, and maybe government contractors. Not sure if it extends to the private sector.

    The thing I'm puzzled about is, I thought that the electronic payment networks (MasterCard, Visa, Discover, Amex, etc) had very specific requirements for data security, including audits, which filter down to merchants (I realize that merchants don't generally do business directly with the networks [unless, maybe, they're Walmart or Sears], and instead go through intermediate companies that 'resell' the network services, but I thought the security requirements, and audit regimen, bubble down through the whole hierarchy?)

    1. Re:I think there are laws. . . by athakur999 · · Score: 4, Informative

      The whistleblower protection laws in the USA protect an employee from termination for reporting the employer acting illegally. Shoddy security may be stupid but I don't know if it's illegal or not. Also, the employee needs to be reporting to the proper authority, not a random Internet forum.

      --
      "People that quote themselves in their signatures bother me" - athakur999
    2. Re:I think there are laws. . . by kmahan · · Score: 4, Insightful

      And who would the "proper authority" be in this case? His management doesn't care.

      Apparently PCI Compliance doesn't allow for input from the "little people" -- or would someone care to post a link that allows for submitting information to them?

      --
      Invalid Checksum. Retrying.
    3. Re:I think there are laws. . . by TubeSteak · · Score: 3, Insightful

      The whistleblower protection laws in the USA protect an employee from termination for reporting the employer acting illegally. Yea and construction workers can legally refuse to work on an unsafe site.
      Neither set of laws will keep you from getting fired for coming back from lunch 3 minutes late.

      If your company wants a reason to fire you, unless you're perfect, they'll find one.
      --
      [Fuck Beta]
      o0t!
    4. Re:I think there are laws. . . by colinbrash · · Score: 2, Interesting

      And who would the "proper authority" be in this case? His management doesn't care. That would be the point. There isn't a "proper authority" because the company isn't doing anything illegal. If, on the other hand, the company is doing something illegal, surely the "proper authority" would be fairly clear? I'm not sure why everyone seems to be defending this guy and jumping on the "whistleblower" bandwagon. How can you expect to post sensitive security details about your company to an internet forum and not lose your job? Regardless of how dumb the company is, this employee isn't the brightest either if he expected -- and wanted -- to keep his job.
    5. Re:I think there are laws. . . by drinkypoo · · Score: 2, Insightful

      Shoddy security may be stupid but I don't know if it's illegal or not.

      It probably is illegal, because it's probably fraudulent, not least if you make any kind of claims to being at all concerned about security and then knowingly put into place bad policies like allowing blank passwords. I mean, even if you're a total idiot you can see how that's a bad thing. You've got a secret club, right? And someone comes up and your bouncer says "what's da passwoid?" and he says nothing, and the bouncer says "okay come in den". I mean that makes no sense to anyone, right? So blank passwords clearly fail the common sense test.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    6. Re:I think there are laws. . . by zerocool^ · · Score: 2, Informative

      http://en.wikipedia.org/wiki/PCI_DSS

      Ask me how I know... ClamAV and I have become more familiar than I ever thought possible.

      --
      sig?
    7. Re:I think there are laws. . . by Anonymous+Brave+Guy · · Score: 3, Informative

      I think you've pretty much got to the root of the problem there: if this behaviour isn't criminally negligent, it should be. In a world where identity theft is one of the fastest growing (and most damaging) crimes in town, dealing with a business that has previously shown itself to be incompetent in handling personal data and is actively avoiding improving the situation, it's time to start throwing the directors in jail.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    8. Re:I think there are laws. . . by Pepebuho · · Score: 4, Insightful
      I am not a lawyer, but I think there might be some way to tie Sarbanes-Oaxley into this.
      As a Public Company, TJX is subject to Sarbanes Oaxley.

      Section 302 demands the certification of Internal Control on Financial data. With such shoddy password system I fail to see how they can comply with it.
      Section 404 demands management to assess risk and solve it
      Section 802 accrues criminal penalties for violations to Sarbanes Oaxley and (TADAM!!!)
      Section 1107 accrues criminal penalties for retaliations against whistleblowers.

      I think this guy should get hold of Section 1107 and run it for all it is worth!!!!

      From Wikipedia:
      http://en.wikipedia.org/wiki/Sarbanes-Oxley_Act

      Section 1107 of the SOX 18 U.S.C. 1513(e) states:[23]

      " Whoever knowingly, with the intent to retaliate, takes any action harmful to any person, including interference with the lawful employment or livelihood of any person, for providing to a law enforcement officer any truthful information relating to the commission or possible commission of any federal offence, shall be fined under this title, imprisoned not more than 10 years, or both. I am not sure if posting to a blog could be construed as "providing to a law enforcement officer any truthful information bla bla bla", but I think this is his best shot.

      My 2 cents
    9. Re:I think there are laws. . . by geekoid · · Score: 3, Interesting

      true, but when you show up to court, there going to be looked at real carefully.
      Has anyone else been 3 minutes late and not fired? what does your policy say?

      The courts are suspicious of those kind of amazing coincidence.

      Even if you are 'perfect' they can find one, no doubt. That doesn't mean you don't have recourse.

      --
      The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
    10. Re:I think there are laws. . . by Xiaran · · Score: 2, Insightful

      SO where are the Credit Card companies in all this. Surely their ass in on the line for fraudulent use of leaked CC information. I would think VISA and Mastercard could step in and insist that this company clean up its security or else disallow payments originating from them.

  13. In case you're wondering who TJX is... by Anonymous Coward · · Score: 4, Informative

    Here's the TJX web site [warning: Flash], where you'll learn that they are TJMaxx, Winners, Marshalls, HomeSense, HomeGoods, TKMaxx, AJWright, and Bob's Stores. You can also read a nice letter from the TJX president and CEO describing how they have "...worked diligently with some of the world's best computer security firms to further enhance our computer security."

    Blank passwords. Wow. No bad guys would ever try that. Disclosing that policy would really compromise security, wouldn't it?

  14. Another older guy loses his capacity for outrage by spun · · Score: 5, Interesting

    Hey, yeah, what was this guy thinking, doing the right thing in spite of the risks? He deserved to get screwed over, right? Everyone just play along, don't rock the boat, do what you're told, and shut the hell up. Thanks so much for sharing your sage wisdom and mature outlook.

    Maybe he expected exactly what happened and blew the whistle anyway. So, wise elder, what would you have done?

    --
    - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
  15. Dear TJX by Archangel+Michael · · Score: 5, Funny

    Dear TJX,

    We're the Slashdot community, and would like you to meet Ms Barbara Streisand, who can help you with your media relations problem.

    Yours Truly,

    Slashdot Community.

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  16. Re:Another older guy loses his capacity for outrag by elrous0 · · Score: 5, Insightful

    Being a whistleblower means sacrifice. No one gives you a medal for doing the right thing, nor should you expect anything but scorn.

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
  17. Re:Another older guy loses his capacity for outrag by compro01 · · Score: 4, Insightful

    Yes, things currently work that way. Things shouldn't work that way.

    --
    upon the advice of my lawyer, i have no sig at this time
  18. Luggage? Pfft by autocracy · · Score: 3, Funny

    I've got the same key for my ssh sessions (with apologies to Debian).

    --
    SIG: HUP
    1. Re:Luggage? Pfft by trolltalk.com · · Score: 3, Funny

      I've got the same key for my ssh sessions (with apologies to Debian).

      President Skroobs' director of IT recomends using 2-4-6-8-10 for ssh, since it's obviously double secure over the standard 1-2-3-4-5.

      --
      Kevin Smith on Prince
  19. Re:Another older guy loses his capacity for outrag by spun · · Score: 4, Insightful

    Assuming this is how things actually are, what makes you think this kid expected anything different? Where do you see him begging for a medal?

    But it really sounds like you are going further, saying that not only is this how things are, but how they ought to be. It really sounds like you are coming down on the guy for doing the right thing.

    Or maybe you are trying to say that everyone should be as cynical as you are? Maybe you believe that we should all expect to get fucked over for doing the right thing, and anyone who doesn't expect that is an idiot who deserves what they got.

    Please clarify, do you think this guy got the treatment he deserves? Should we not be outraged here? I'm confused as to your motives for posting what you originally did.

    --
    - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
  20. Since when? by MrNougat · · Score: 3, Interesting

    Since when is "allowing blank passwords" a compromise, and not stupid?

    --
    Web 2.0 == Giant Blogspam Circle Jerk
  21. Re:Good for them by quanticle · · Score: 2, Insightful

    Perhaps he didn't trust that the reporter would keep his identity secret? Or, more likely, perhaps there wasn't a reporter interested in the matter. The increasing declines in local journalism, combined with the fact that reporters and technology have traditionally gotten along about as well as oil and water, has meant that often there are no reporters willing to take on a data-breach story. Especially if the person cannot make some kind of sensationalist "your credit cards just got handed to the Russian Mafia", or "Think of the children!!" kind of plea, its quite likely that no reporter was interested in taking the story.

    --
    We all know what to do, but we don't know how to get re-elected once we have done it
  22. The word "further" bothers me.. by cheros · · Score: 2, Interesting

    ..given past record "further" is exactly NOT where they ought to be heading :-).

    --
    Insert .sig here. Send no money now. Owner may sue, contents will settle. Batteries not included.
  23. Additional Information by mrkitty · · Score: 3, Informative


    http://www.cgisecurity.com/2008/05/11

    --
    Believe me, if I started murdering people, there would be none of you left.
  24. Gold Mine by Nom+du+Keyboard · · Score: 3, Funny

    In spite of the weak internal security, TJX now has a firm that scours the internet to find bad things posted about them, which is how they found the message and fired him for it.

    Then they've found a Gold Mine here on Slashdot.

    --
    "It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
  25. Re:Another older guy loses his capacity for outrag by evilviper · · Score: 2, Insightful

    No one gives you a medal for doing the right thing,

    So tell me, what DO they give you medals for?
    --
    Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
  26. Re:Another older guy loses his capacity for outrag by Kingrames · · Score: 2, Insightful

    What is right is almost never easy.
    If it were it wouldn't be something worth mentioning.

    --
    If you can read this, I forgot to post anonymously.
  27. But... by twentynine · · Score: 2, Funny

    who needs strong passwords when you can simply have tough-to-guess usernames.

  28. The cost to TJX by Beryllium+Sphere(tm) · · Score: 2, Informative

    It's not just PCI fines that a merchant needs to think about: a bunch of banks sued TJX over the breach.

  29. We, your former customers, want security from you. by LostCluster · · Score: 2, Interesting

    TJX just doesn't get it. They hired a team to look for insider negative postings, and considered that an increase in security. They consider the negative poster a rouge insider... but they can't seem to track down who was at fault for the massive breach that they suffered from. That's the person we really want fired.

    What we, the people who used to shop at TJ Maxx, Marshalls, AJ Wright, HomeGoods, and Bob's Stores, are looking to see is that they can finally claim that they increased their security (using the same standards we expect on the web) so that nobody can intercept what we show the cashier, our credit card stripe data and signature, on its way to the credit card processing company they're using. Good encryption is freely available, great would be hearing that they hired a company that cares about it.

    They're thinking about what directly impacts the bottom line (profits) while forgetting that what upsets the customers will directly impact the top line (sales) that will impact that bottom line too.

  30. here are the stores you should avoid by museumpeace · · Score: 2, Interesting

    http://www.tjx.com/employment/life_brands.html I don't know who paid for it but I have had new credit cards issued not because I asked for them...kinda messed up my cookies for on line purchases. These guys suck.

    --
    SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
  31. Passwords are easy , there is no excuse. by geekoid · · Score: 2, Interesting

    Forexample:
    BIG_b00bs_a how hard is that to remember?
    another
    P4ssw0rd5_suck_m3_0ff

    Another:
    ROY_G_B1V_aa

    Jeez, there really isn't any excuse. I think they called this PAL in the Military.
    How about the first few letters from the first words in a song or poem?
    from Mary had a little lamb:
    Mhallwfwwas&wmw12

    or another
    IXdKKaspdd_10

    This can't remember password BS really annoys me.
    Add to the fact that any computer system to day should lock down the computer after3 attempts..ah hell lets make it 5 attempts should prevent a brute force or dictionary attack from happens so changing your password isn't really that necessary any more, it's a hold out from 25 years ago when you could only have 8 characters, and there wasn't any lockout.
    Since most people who implement security do not understand security and could do risk analysis if their life depended on it, I'm not surprised at the state of affairs in computer security.

    And before someone who thinks they know what they are doing corrects me, yes, I do know there are some systems that need tighter security, like missile Codes. Having handled them I know a thing or 4 about them. I am talking about security for 99.99% of everyone else.

    --
    The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect