TJX Employee Fired for Trying to Fix Things


Ah TJX in the news again….after previously having the Largest Breach of Customer Data in U.S. History, now they are screwing people over that try to help them and their seemingly ridiculous information security policies.

Hello blank passwords? Sounds crazy but I believe it happens, at more places than just TJX. It’s sad that someone who actually wants to help and bring up the issues of shoddy security practise ends up with the raw end of the deal. That also doesn’t surprise me though, sometimes it just pays to keep quiet and let them get owned again.

TJX Companies, the mammoth US retailer whose substandard security led to the world’s biggest credit card heist, has fired an employee after he left posts in an online forum that made disturbing claims about security practices at the store where he worked.

Security was so lax at the TJ Maxx outlet located in Lawrence, Kansas, that employees were able to log onto company servers using blank passwords, the fired employee, Nick Benson, told The Register. This policy was in effect as recently as May 8, more than 18 months after company officials learned a massive network breach had leaked the details of more than 94 million customer credit cards. Benson said he was fired on Wednesday after managers said he disclosed confidential company information online.

It’s pretty shocking after the huge data loss that they suffered how they can have such lax policies, changing reasonable passwords to blank ones? Hello ownage, here’s my network! Yeah he did disclose important company information…he disclosed to the world that you are a bunch of dickwads.

Incompetent ones at that. Some may berate his actions, but still it didn’t seem he was getting anywhere inside the company.

Other security issues included a store server that was running in administrator mode, making it far more susceptible to attackers. He said he brought the security issues to the attention of a district loss prevention manager name Allen in late 2006, and repeatedly discussed them with store managers. Except for a stretch when IT managers temporarily tightened password policies, the problems went unfixed.

Benson’s May 8 posting was prompted by news that managers had changed the password for employees to access the store server. Inexplicably, it was set to blank. When Benson first began working for TJX, his password was the same as his user name, he said. Then came word in January 2007 that unknown hackers had brazenly intruded on the company’s network over a 17-month period. For a time following the disclosure, TJX employees were required to use relatively strong passwords. The change to a blank password clearly represented a step backward, Benson thought.

The posts eventually caught up to Benson. On Wednesday, while marking down items on the TJ Maxx retail floor, he was summoned to the store office. Inside, a regional loss prevention manager told him his critiques had come to the attention of the company hired to monitor internet postings about the retailing giant. The manager told Benson he was being fired for disclosing confidential company information.

Password the same as username? That’s not much more secure…but blank passwords, that’s the worst of all. Oh well it looks like a good reason only to use cash if you are going to shop at any TJX stores!

Well I’d imagine this might be prevalent at most stores…so perhaps a good reason to use cash everywhere. Other than the fact I don’t like people tracking my purchases in some huge consumer database anyway…

Source: The Register

Posted in: Legal Issues, Privacy

, ,


Latest Posts:


dSploit APK Download - Hacking & Security Toolkit For Android dSploit APK Download – Hacking & Security Toolkit For Android
dSploit APK Download is a Hacking & Security Toolkit For Android which can conduct network analysis and penetration testing activities.
Scallion - GPU Based Onion Hash Generator Scallion – GPU Based Onion Hash Generator
Scallion is a GPU-driven Onion Hash Generator written in C#, it lets you create vanity GPG keys and .onion addresses (for Tor's hidden services).
WiFi-Dumper - Dump WiFi Profiles and Cleartext Passwords WiFi-Dumper – Dump WiFi Profiles and Cleartext Passwords
WiFi-Dumper is an open-source Python-based tool to dump WiFi profiles and cleartext passwords of the connected access points on a Windows machine.
truffleHog - Search Git for High Entropy Strings with Commit History truffleHog – Search Git for High Entropy Strings with Commit History
truffleHog is a Python-based tool to search Git for high entropy strings, digging deep into commit history and branches. This is effective at finding secrets accidentally committed.
AIEngine - AI-driven Network Intrusion Detection System AIEngine – AI-driven Network Intrusion Detection System
AIEngine is a next-generation interactive/programmable Python/Ruby/Java/Lua and Go AI-driven Network Intrusion Detection System engine with many capabilities.
Sooty - SOC Analyst All-In-One CLI Tool Sooty – SOC Analyst All-In-One CLI Tool
Sooty is a tool developed with the task of aiding a SOC analyst to automate parts of their workflow and speed up their process.


7 Responses to TJX Employee Fired for Trying to Fix Things

  1. razta May 29, 2008 at 9:40 am #

    I heard about the Credit Card breach however I assumed it was in the UK. Might try and get a job at TKMAX! Cheap clothes and lots of CC numbers! lol

  2. Jinesh Doshi May 29, 2008 at 12:28 pm #

    Though the company policy sucks big time. The employee shouldn’t have disclosed it. I agree with what managers did.

  3. eM3rC May 30, 2008 at 1:13 am #

    That is a really funny and really good point razta. Just make sure person information is the next breech :)

  4. Jinesh Doshi May 30, 2008 at 5:43 am #

    @razta

    Good one. Hope authorities dont read your post here or will get fired before you get the job. lol :)

  5. Silicon shaman May 30, 2008 at 9:04 am #

    I know soemone that works on the distribution side of things, So not at all surprised to learn the managers are just as clueless in the retail side.

    Although, he was kinda of a dumb-ass to get caught mind you…

  6. razta May 30, 2008 at 6:32 pm #

    My work colleague used to work there too, she wasn’t surprised.

  7. Jinesh Doshi May 31, 2008 at 5:25 am #

    @razta

    Y dont u teach your colleague a few hacking tricks. lol :)