Whistleblower fired
TJX Companies, the US retail conglomerate whose substandard security led to the world’s biggest credit card breach, has fired an employee after he left posts in an online forum revealing shoddy security practices at the store where he worked.
Security was so lax at the TJ Maxx outlet located in Lawrence, Kansas, that employees were able to log onto company servers using blank passwords, the fired employee, Nick Benson, told The Register. This policy was in effect as recently as May 8, more than 18 months after company officials learned a massive network breach had leaked the details of more than 94 million customer credit cards. Benson said he was fired on Wednesday after managers said he disclosed confidential company information online.
Other security issues included a store server that was running in administrator mode, making it far more susceptible to attackers. He said he brought the security issues to the attention of a district loss prevention manager name Allen in late 2006, and repeatedly discussed them with store managers. Except for a stretch when IT managers temporarily tightened password policies, the problems went unfixed.
Frustrated at the unwillingness of management to properly protect their customers’ data, Benson made a series of posts on the sla.ckers.org website, which is devoted to web application security.
Benson’s disclosures weren’t specific enough to give attackers information needed to successfully breach TJX’s networks. And when you consider the right of TJX’s customers and employees to know that their data may be at risk, it’s not unreasonable to call him a whistleblower.
For Benson’s part, he has no regrets. “They’re telling the public they’re PCI compliant,” he said, referring to so-called payment card industry security rules governing businesses that accept credit and debit cards. “That I think is unethical.”
The Register is asking if other TJX employees have tales similar to Benson’s. If so, you can contact the reporter using this link. (Anonymity assured.)
Saturday 24 May 2008 | Paul | USA
