(Picture courtesy of b d solis at Flickr)
One would assume after compromising an estimated 94 million people's information, a company would become a model of information security for the rest of us to aspire to. Sadly, if the following story is true, this is NOT the case at TJX.
Ran into this disturbing example of a messenger getting shot for trying to report sloppy security on Sans Newsbites:
TJX Companies has fired an employee from a Lawrence, Kansas TJ Maxx store for making posts to a forum about the company's lax security practices, even after the notable breach. The employee, Nick Benson, said in several posts that except for a period of time following the breach disclosure when a strong password policy was enforced, the employee password at his store's server was set to blank. In addition, at one point a store server was running in administrator mode. When Benson began work at TJX, his password was the same as his user name. TJX says Benson was fired for disclosing confidential company information. -http://www.theregister.co.uk/2008/05/23/tjx_fires_whistleblower/print.html-http://computerworld.co.nz/news.nsf/scrt/3A2C5453A05F8C31CC257454006CE111
Reading a little further by linking to the article written by Dan Goodin in the Register, I discovered that the act of posting in forums came about AFTER the employee tried to resolve the problem, internally:
Other security issues included a store server that was running in administrator mode, making it far more susceptible to attackers. He said he brought the security issues to the attention of a district loss prevention manager name Allen in late 2006, and repeatedly discussed them with store managers. Except for a stretch when IT managers temporarily tightened password policies, the problems went unfixed.
After posting on the forum (http://sla.ckers.org/forum/read.php?13,15148,page=1), the boss of one of the people Benson reported the matter to summoned him into the office and terminated him.
I suppose we could all argue that posting this information in a public forum is dangerous. Saying that, Benson did try to report the matter through his internal chain of command and nothing was done?
Maybe it is because the people, he reported it to aren't IT savvy enough to realize how vulnerable TJX's systems are when they are left unprotected like this?
Even if a hacker didn't compromise the system, it is feasible that a dishonest employee could gather quite of bit of information and sell it? Carder forums -- where personal and financial details are bartered over cyberspace -- are well known and not very hard to find.
Please note, I wrote IF a hacker didn't compromise the system. I'm just pointing out stealing information wouldn't take a very sophisticated hacking job given the opportunities described in this instance.
They might even post (anonymously), how easily they got the information in hacker forums. Sadly if Mr. Benson had been more anonymous, he would probably still be employed. I guess it doesn't pay to be honest in cases like these?
My post just before this was about another revelation (pun intended) that not all data breaches are being reported. I tied this post into two stories. One was about the lack of reporting, and other one was recent reports about Finjan finding crimeservers via simple searches that contain a lot of information that could be used to commit a host of financial crimes.
Interestingly enough, the crimeservers (available to anyone on the Internet) weren't "password protected," either.
So far as Mr. Benson is concerned, I wonder if TJX was required to maintain a confidential hot-line and if he ever reported the matter there? Although, I'm not a lawyer, I also have to wonder if federal laws protecting "whistleblowers" apply here. More information on whistleblower laws can be seen on whistleblower.com.
It's a crying shame that the powers that be at TJX didn't value the fact that an employee was trying to show them where they might receive a lot more unfavorable public exposure by compromising their customer information.
I'll close with a supportive comment from the editor at SANS:
[Editor's Note (Schultz): Once again TJX is proving itself to be a villain. Interestingly, I still sometimes shop at a TJ Maxx or Marshalls store, but I always pay cash--I would never use a credit card because of TJX's huge security deficiencies. And if Nick Benson reads this comment, I would encourage him to contact me, because I will do everything in my power to help him find another job. ]
PS: I would like to add that I'm pretty sure there are companies out there that would value an employee, who brought matters like these to their attention. They might save them millions of dollars in the end when you consider the cost of recovering from a data breach.
As a disclaimer, TJX's side of the story is unknown, but according to the Register article when they were asked they would not comment on the matter.