TJX Employee Fired for Trying to Fix Things

Use Netsparker


Ah TJX in the news again….after previously having the Largest Breach of Customer Data in U.S. History, now they are screwing people over that try to help them and their seemingly ridiculous information security policies.

Hello blank passwords? Sounds crazy but I believe it happens, at more places than just TJX. It’s sad that someone who actually wants to help and bring up the issues of shoddy security practise ends up with the raw end of the deal. That also doesn’t surprise me though, sometimes it just pays to keep quiet and let them get owned again.

TJX Companies, the mammoth US retailer whose substandard security led to the world’s biggest credit card heist, has fired an employee after he left posts in an online forum that made disturbing claims about security practices at the store where he worked.

Security was so lax at the TJ Maxx outlet located in Lawrence, Kansas, that employees were able to log onto company servers using blank passwords, the fired employee, Nick Benson, told The Register. This policy was in effect as recently as May 8, more than 18 months after company officials learned a massive network breach had leaked the details of more than 94 million customer credit cards. Benson said he was fired on Wednesday after managers said he disclosed confidential company information online.

It’s pretty shocking after the huge data loss that they suffered how they can have such lax policies, changing reasonable passwords to blank ones? Hello ownage, here’s my network! Yeah he did disclose important company information…he disclosed to the world that you are a bunch of dickwads.

Incompetent ones at that. Some may berate his actions, but still it didn’t seem he was getting anywhere inside the company.

Other security issues included a store server that was running in administrator mode, making it far more susceptible to attackers. He said he brought the security issues to the attention of a district loss prevention manager name Allen in late 2006, and repeatedly discussed them with store managers. Except for a stretch when IT managers temporarily tightened password policies, the problems went unfixed.

Benson’s May 8 posting was prompted by news that managers had changed the password for employees to access the store server. Inexplicably, it was set to blank. When Benson first began working for TJX, his password was the same as his user name, he said. Then came word in January 2007 that unknown hackers had brazenly intruded on the company’s network over a 17-month period. For a time following the disclosure, TJX employees were required to use relatively strong passwords. The change to a blank password clearly represented a step backward, Benson thought.

The posts eventually caught up to Benson. On Wednesday, while marking down items on the TJ Maxx retail floor, he was summoned to the store office. Inside, a regional loss prevention manager told him his critiques had come to the attention of the company hired to monitor internet postings about the retailing giant. The manager told Benson he was being fired for disclosing confidential company information.

Password the same as username? That’s not much more secure…but blank passwords, that’s the worst of all. Oh well it looks like a good reason only to use cash if you are going to shop at any TJX stores!

Well I’d imagine this might be prevalent at most stores…so perhaps a good reason to use cash everywhere. Other than the fact I don’t like people tracking my purchases in some huge consumer database anyway…

Source: The Register

Posted in: Legal Issues, Privacy

, ,


Latest Posts:


Four Year Old libSSH Bug Leaves Servers Wide Open Four Year Old libssh Bug Leaves Servers Wide Open
A fairly serious 4-year old libssh bug has left servers vulnerable to remote compromise, fortunately, the attack surface isn't that big as neither OpenSSH or the GitHub implementation are affected.
CHIPSEC - Platform Security Assessment Framework CHIPSEC – Platform Security Assessment Framework For Firmware Hacking
CHIPSEC is a platform security assessment framework for PCs including hardware, system firmware (BIOS/UEFI), and platform components for firmware hacking.
How To Recover When Your Website Got Hacked How To Recover When Your Website Got Hacked
The array of easily available Hacking Tools out there now is astounding, combined with self-propagating malware, people often come to me when their website got hacked and they don't know what to do, or even where to start.
HTTrack - Website Downloader Copier & Site Ripper Download HTTrack – Website Downloader Copier & Site Ripper Download
HTTrack is a free and easy-to-use offline browser utility which acts as a website downloader and a site ripper for copying websites and downloading them for offline viewing.
sshLooter - Script To Steal SSH Passwords sshLooter – Script To Steal SSH Passwords
sshLooter is a Python script using a PAM module to steal SSH passwords by logging the password and notifying the admin of the script via Telegram when a user logs in.
Intercepter-NG - Android App For Hacking Intercepter-NG – Android App For Hacking
Intercepter-NG is a multi functional network toolkit including an Android app for hacking, the main purpose is to recover interesting data from the network stream and perform different kinds of MiTM attacks.


7 Responses to TJX Employee Fired for Trying to Fix Things

  1. razta May 29, 2008 at 9:40 am #

    I heard about the Credit Card breach however I assumed it was in the UK. Might try and get a job at TKMAX! Cheap clothes and lots of CC numbers! lol

  2. Jinesh Doshi May 29, 2008 at 12:28 pm #

    Though the company policy sucks big time. The employee shouldn’t have disclosed it. I agree with what managers did.

  3. eM3rC May 30, 2008 at 1:13 am #

    That is a really funny and really good point razta. Just make sure person information is the next breech :)

  4. Jinesh Doshi May 30, 2008 at 5:43 am #

    @razta

    Good one. Hope authorities dont read your post here or will get fired before you get the job. lol :)

  5. Silicon shaman May 30, 2008 at 9:04 am #

    I know soemone that works on the distribution side of things, So not at all surprised to learn the managers are just as clueless in the retail side.

    Although, he was kinda of a dumb-ass to get caught mind you…

  6. razta May 30, 2008 at 6:32 pm #

    My work colleague used to work there too, she wasn’t surprised.

  7. Jinesh Doshi May 31, 2008 at 5:25 am #

    @razta

    Y dont u teach your colleague a few hacking tricks. lol :)