TJX Employee Fired for Trying to Fix Things


Ah TJX in the news again….after previously having the Largest Breach of Customer Data in U.S. History, now they are screwing people over that try to help them and their seemingly ridiculous information security policies.

Hello blank passwords? Sounds crazy but I believe it happens, at more places than just TJX. It’s sad that someone who actually wants to help and bring up the issues of shoddy security practise ends up with the raw end of the deal. That also doesn’t surprise me though, sometimes it just pays to keep quiet and let them get owned again.

TJX Companies, the mammoth US retailer whose substandard security led to the world’s biggest credit card heist, has fired an employee after he left posts in an online forum that made disturbing claims about security practices at the store where he worked.

Security was so lax at the TJ Maxx outlet located in Lawrence, Kansas, that employees were able to log onto company servers using blank passwords, the fired employee, Nick Benson, told The Register. This policy was in effect as recently as May 8, more than 18 months after company officials learned a massive network breach had leaked the details of more than 94 million customer credit cards. Benson said he was fired on Wednesday after managers said he disclosed confidential company information online.

It’s pretty shocking after the huge data loss that they suffered how they can have such lax policies, changing reasonable passwords to blank ones? Hello ownage, here’s my network! Yeah he did disclose important company information…he disclosed to the world that you are a bunch of dickwads.

Incompetent ones at that. Some may berate his actions, but still it didn’t seem he was getting anywhere inside the company.

Other security issues included a store server that was running in administrator mode, making it far more susceptible to attackers. He said he brought the security issues to the attention of a district loss prevention manager name Allen in late 2006, and repeatedly discussed them with store managers. Except for a stretch when IT managers temporarily tightened password policies, the problems went unfixed.

Benson’s May 8 posting was prompted by news that managers had changed the password for employees to access the store server. Inexplicably, it was set to blank. When Benson first began working for TJX, his password was the same as his user name, he said. Then came word in January 2007 that unknown hackers had brazenly intruded on the company’s network over a 17-month period. For a time following the disclosure, TJX employees were required to use relatively strong passwords. The change to a blank password clearly represented a step backward, Benson thought.

The posts eventually caught up to Benson. On Wednesday, while marking down items on the TJ Maxx retail floor, he was summoned to the store office. Inside, a regional loss prevention manager told him his critiques had come to the attention of the company hired to monitor internet postings about the retailing giant. The manager told Benson he was being fired for disclosing confidential company information.

Password the same as username? That’s not much more secure…but blank passwords, that’s the worst of all. Oh well it looks like a good reason only to use cash if you are going to shop at any TJX stores!

Well I’d imagine this might be prevalent at most stores…so perhaps a good reason to use cash everywhere. Other than the fact I don’t like people tracking my purchases in some huge consumer database anyway…

Source: The Register

Posted in: Legal Issues, Privacy

, ,


Latest Posts:


zBang - Privileged Account Threat Detection Tool zBang – Privileged Account Threat Detection Tool
zBang is a risk assessment tool for Privileged Account Threat Detection on a scanned network, organizations & red teams can use it to identify attack vectors
Memhunter - Automated Memory Resident Malware Detection Memhunter – Automated Memory Resident Malware Detection
Memhunter is an Automated Memory Resident Malware Detection tool for the hunting of memory resident malware at scale, improving threat hunter analysis process.
Sandcastle - AWS S3 Bucket Enumeration Tool Sandcastle – AWS S3 Bucket Enumeration Tool
Sandcastle is an Amazon AWS S3 Bucket Enumeration Tool, formerly known as bucketCrawler. The script takes a target's name as the stem argument (e.g. shopify).
Astra - API Automated Security Testing For REST Astra – API Automated Security Testing For REST
Astra is a Python-based tool for API Automated Security Testing, REST API penetration testing is complex due to continuous changes in existing APIs.
Judas DNS - Nameserver DNS Poisoning Attack Tool Judas DNS – Nameserver DNS Poisoning Attack Tool
Judas DNS is a Nameserver DNS Poisoning Attack Tool which functions as a DNS proxy server built to be deployed in place of a taken over nameserver to perform targeted exploitation.
dsniff Download - Tools for Network Auditing & Password Sniffing dsniff Download – Tools for Network Auditing & Password Sniffing
Dsniff download is a collection of tools for network auditing & penetration testing. Dsniff, filesnarf, mailsnarf, msgsnarf, URLsnarf, and WebSpy passively monitor a network


7 Responses to TJX Employee Fired for Trying to Fix Things

  1. razta May 29, 2008 at 9:40 am #

    I heard about the Credit Card breach however I assumed it was in the UK. Might try and get a job at TKMAX! Cheap clothes and lots of CC numbers! lol

  2. Jinesh Doshi May 29, 2008 at 12:28 pm #

    Though the company policy sucks big time. The employee shouldn’t have disclosed it. I agree with what managers did.

  3. eM3rC May 30, 2008 at 1:13 am #

    That is a really funny and really good point razta. Just make sure person information is the next breech :)

  4. Jinesh Doshi May 30, 2008 at 5:43 am #

    @razta

    Good one. Hope authorities dont read your post here or will get fired before you get the job. lol :)

  5. Silicon shaman May 30, 2008 at 9:04 am #

    I know soemone that works on the distribution side of things, So not at all surprised to learn the managers are just as clueless in the retail side.

    Although, he was kinda of a dumb-ass to get caught mind you…

  6. razta May 30, 2008 at 6:32 pm #

    My work colleague used to work there too, she wasn’t surprised.

  7. Jinesh Doshi May 31, 2008 at 5:25 am #

    @razta

    Y dont u teach your colleague a few hacking tricks. lol :)