Slashdot Mirror
TJX Fires Employee For Disclosing Vulnerability
I Don't Believe in Imaginary Property writes "A TJX employee was fired for an online post mentioning that TJX hasn't beefed up security after the recent, massive data breach that saw 94 million credit card numbers copied by criminals and money from their accounts stolen. The employee mentioned that, at first, their usernames were the same as their passwords. After they required stronger passwords, some managers complained, so they 'compromised' by allowing blank passwords. The whistleblower said he discussed his concerns with management, but that it was like talking to a brick wall. In spite of the weak internal security, TJX now has a firm that scours the internet to find bad things posted about them, which is how they found the message and fired him for it. Too bad they don't appear to have hired anyone to beef up operational security or to convince people to use strong passwords."
Who is TJX and how can I avoid doing business with them, but then I realized they were TJ Maxx and Marshall's and I don't do business with them anyways.
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
This was a server at one store, not the TJX headquarters where the data is kept.
I used the same password as this account, and obviously some people found out about it and have been posting under my username for ages! :(
"So last August, Benson took to Sla.ckers.org, a website dedicated to web application security, and began anonymously reporting the shoddy practices in this user forum."
This guy should be promoted to CIO for the company and given carte blanc to clean house on the asshole who did not deal with the original issue. Until I hear that this guy is justly treated, we will not ever spend another penny in TJX stores. Enough of us and the CEO will be looking for a new job.
Have they not learned from the others that have gone on before them. It is not the original error that will get you, but how you cover up your error that does.
Anyone remember Nixon... and a few others.
-- sig.com not found post halted
This data is implicitly safe now by the weak American Dollar, it would be like stealing Pesos.
To protect whistleblowers, aren't there? Although, that might only be in the government, and maybe government contractors. Not sure if it extends to the private sector.
The thing I'm puzzled about is, I thought that the electronic payment networks (MasterCard, Visa, Discover, Amex, etc) had very specific requirements for data security, including audits, which filter down to merchants (I realize that merchants don't generally do business directly with the networks [unless, maybe, they're Walmart or Sears], and instead go through intermediate companies that 'resell' the network services, but I thought the security requirements, and audit regimen, bubble down through the whole hierarchy?)
Here's the TJX web site [warning: Flash], where you'll learn that they are TJMaxx, Winners, Marshalls, HomeSense, HomeGoods, TKMaxx, AJWright, and Bob's Stores. You can also read a nice letter from the TJX president and CEO describing how they have "...worked diligently with some of the world's best computer security firms to further enhance our computer security."
Blank passwords. Wow. No bad guys would ever try that. Disclosing that policy would really compromise security, wouldn't it?
Hey, yeah, what was this guy thinking, doing the right thing in spite of the risks? He deserved to get screwed over, right? Everyone just play along, don't rock the boat, do what you're told, and shut the hell up. Thanks so much for sharing your sage wisdom and mature outlook.
Maybe he expected exactly what happened and blew the whistle anyway. So, wise elder, what would you have done?
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
Dear TJX,
We're the Slashdot community, and would like you to meet Ms Barbara Streisand, who can help you with your media relations problem.
Yours Truly,
Slashdot Community.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Being a whistleblower means sacrifice. No one gives you a medal for doing the right thing, nor should you expect anything but scorn.
SJW: Someone who has run out of real oppression, and has to fake it.
Yes, things currently work that way. Things shouldn't work that way.
upon the advice of my lawyer, i have no sig at this time
Assuming this is how things actually are, what makes you think this kid expected anything different? Where do you see him begging for a medal?
But it really sounds like you are going further, saying that not only is this how things are, but how they ought to be. It really sounds like you are coming down on the guy for doing the right thing.
Or maybe you are trying to say that everyone should be as cynical as you are? Maybe you believe that we should all expect to get fucked over for doing the right thing, and anyone who doesn't expect that is an idiot who deserves what they got.
Please clarify, do you think this guy got the treatment he deserves? Should we not be outraged here? I'm confused as to your motives for posting what you originally did.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
What security people don't understand is that good security can be very, very, VERY expensive. Far more expensive than some simple PR. I'm not just talking about the up-front cost of doing security right in the first place, but the less noticeable costs of user training, user re-training, tech support, lost productivity (senior manager forgot his admin password), and the cost of letting people go who are very valuable and good at their jobs but too stupid to follow the proper security protocols.
Good managers understand this and realize that spending that much money on protecting something that's really not very important to the company (customer identities) is just not good business. Until people start hearing on the nightly news that "TJMaxx gave your credit information to terrorists who used it to buy nuclear weapons and assassinate Jesus," the negative publicity they'll suffer is negligible.
Very expensive? Compared to what? Going out of business?
What if your bank decided that those pesky safe deposit boxes would be a whole lot cheaper if only they could use unlocked filing cabinets instead. Would you still want to do business with them?
The sad state of affairs here is that the problem doesn't become apparent until someone gets hacked.
I think a firm that has a security breech ought to be forced to make restitution to the customers. Managers may not understand security, but they will understand lawsuits and damages.
Only once you've rubbed a manager's nose in the problem can you expect a solution. We don't HAVE to address everything, but managers should at least be aware of the risks they're taking.
It's a telling point that they've chosen to persecute instead of promote the person who exposed the flaws. These idiots would rather hide in the corner than address the risks up front.
Nearly fifty percent of all graduates come from the bottom half of the class!
Seriously, what did he expect, that a lazy corporation was going to reform its security policies because a 23-year-old hourly employee complained anonymously on a blog?
...At their own foot.
If they had any integrity - Yes, that sounds like the best possible outcome of this.
Think about it - The CIO didn't say "okay, after a major data breach, go ahead and keep using pathetic passwords". The order came down from On High to use secure passwords. This proved inconvenient to hundreds of piddling middle-managers, who ordered "their" IT guys to find a way around all that nasty security. The local IT guys complied, by allowing blank passwords (Corporate probably never expected anything that stupid, and so didn't have a policy stating otherwise).
So, sometime later, Corporate discovers what has happened, and it enrages them. They meet, discuss, take aim, and fire...
And what did he think they were going to do when they caught him, give him a raise and a promise to change their cheap lazy ways?
They could have addressed the problem and rewarded the child who dared to laugh at the naked emperor. By chosing not to, they have very effectively told me they care more about appearances than the security of my credit card data. As a result, I will no longer shop there.
This has been a struggle for centuries.
Engineer: "I don't care what you read in 'Feudal Lords Monthly', if you want this castle to be secure, we need 2000 foot tall walls, 700 feet thick with a moat of pure acid that's 200 feet deep."
Lord: "But I read that this spell of invisibility and Norton(tm) balsa wood framework is just as good. It leads the industry!"