29 May 2008 | 7,316 views

TJX Employee Fired for Trying to Fix Things

Secure Your Website with Acunetix

Ah TJX in the news again….after previously having the Largest Breach of Customer Data in U.S. History, now they are screwing people over that try to help them and their seemingly ridiculous information security policies.

Hello blank passwords? Sounds crazy but I believe it happens, at more places than just TJX. It’s sad that someone who actually wants to help and bring up the issues of shoddy security practise ends up with the raw end of the deal. That also doesn’t surprise me though, sometimes it just pays to keep quiet and let them get owned again.

TJX Companies, the mammoth US retailer whose substandard security led to the world’s biggest credit card heist, has fired an employee after he left posts in an online forum that made disturbing claims about security practices at the store where he worked.

Security was so lax at the TJ Maxx outlet located in Lawrence, Kansas, that employees were able to log onto company servers using blank passwords, the fired employee, Nick Benson, told The Register. This policy was in effect as recently as May 8, more than 18 months after company officials learned a massive network breach had leaked the details of more than 94 million customer credit cards. Benson said he was fired on Wednesday after managers said he disclosed confidential company information online.

It’s pretty shocking after the huge data loss that they suffered how they can have such lax policies, changing reasonable passwords to blank ones? Hello ownage, here’s my network! Yeah he did disclose important company information…he disclosed to the world that you are a bunch of dickwads.

Incompetent ones at that. Some may berate his actions, but still it didn’t seem he was getting anywhere inside the company.

Other security issues included a store server that was running in administrator mode, making it far more susceptible to attackers. He said he brought the security issues to the attention of a district loss prevention manager name Allen in late 2006, and repeatedly discussed them with store managers. Except for a stretch when IT managers temporarily tightened password policies, the problems went unfixed.

Benson’s May 8 posting was prompted by news that managers had changed the password for employees to access the store server. Inexplicably, it was set to blank. When Benson first began working for TJX, his password was the same as his user name, he said. Then came word in January 2007 that unknown hackers had brazenly intruded on the company’s network over a 17-month period. For a time following the disclosure, TJX employees were required to use relatively strong passwords. The change to a blank password clearly represented a step backward, Benson thought.

The posts eventually caught up to Benson. On Wednesday, while marking down items on the TJ Maxx retail floor, he was summoned to the store office. Inside, a regional loss prevention manager told him his critiques had come to the attention of the company hired to monitor internet postings about the retailing giant. The manager told Benson he was being fired for disclosing confidential company information.

Password the same as username? That’s not much more secure…but blank passwords, that’s the worst of all. Oh well it looks like a good reason only to use cash if you are going to shop at any TJX stores!

Well I’d imagine this might be prevalent at most stores…so perhaps a good reason to use cash everywhere. Other than the fact I don’t like people tracking my purchases in some huge consumer database anyway…

Source: The Register





                

Recent in Legal Issues:
- Security Vendor Trustwave Named In Target Suit
- Target CIO Beth Jacob Resigns After Huge Breach
- Stuxnet 2 Under Development By Spy Agencies?

Related Posts:
- theHarvester – Gather E-mail Accounts, Subdomains, Hosts, Employee Names – Information Gathering Tool
- Trojan Compromises 2,200 Oregon Tax Payers
- Logic Bomb Backfires on Hacker Employee

Most Read in Legal Issues:
- Class President Hacks School Grades - 80,479 views
- Hospital Hacker GhostExodus Owns Himself – Arrested - 47,402 views
- One Of The World’s Most Prolific Music Piracy Groups Busted - 43,449 views

Advertise on Darknet

7 Responses to “TJX Employee Fired for Trying to Fix Things”

  1. razta 29 May 2008 at 9:40 am Permalink

    I heard about the Credit Card breach however I assumed it was in the UK. Might try and get a job at TKMAX! Cheap clothes and lots of CC numbers! lol

  2. Jinesh Doshi 29 May 2008 at 12:28 pm Permalink

    Though the company policy sucks big time. The employee shouldn’t have disclosed it. I agree with what managers did.

  3. eM3rC 30 May 2008 at 1:13 am Permalink

    That is a really funny and really good point razta. Just make sure person information is the next breech :)

  4. Jinesh Doshi 30 May 2008 at 5:43 am Permalink

    @razta

    Good one. Hope authorities dont read your post here or will get fired before you get the job. lol :)

  5. Silicon shaman 30 May 2008 at 9:04 am Permalink

    I know soemone that works on the distribution side of things, So not at all surprised to learn the managers are just as clueless in the retail side.

    Although, he was kinda of a dumb-ass to get caught mind you…

  6. razta 30 May 2008 at 6:32 pm Permalink

    My work colleague used to work there too, she wasn’t surprised.

  7. Jinesh Doshi 31 May 2008 at 5:25 am Permalink

    @razta

    Y dont u teach your colleague a few hacking tricks. lol :)