TJX shoots the messenger reporting potential identity theft issues!

(Picture courtesy of b d solis at Flickr)

One would assume after compromising an estimated 94 million people's information, a company would become a model of information security for the rest of us to aspire to. Sadly, if the following story is true, this is NOT the case at TJX.

Ran into this disturbing example of a messenger getting shot for trying to report sloppy security on Sans Newsbites:

TJX Companies has fired an employee from a Lawrence, Kansas TJ Maxx store for making posts to a forum about the company's lax security practices, even after the notable breach. The employee, Nick Benson, said in several posts that except for a period of time following the breach disclosure when a strong password policy was enforced, the employee password at his store's server was set to blank. In addition, at one point a store server was running in administrator mode. When Benson began work at TJX, his password was the same as his user name. TJX says Benson was fired for disclosing confidential company information. -http://www.theregister.co.uk/2008/05/23/tjx_fires_whistleblower/print.html-http://computerworld.co.nz/news.nsf/scrt/3A2C5453A05F8C31CC257454006CE111

Reading a little further by linking to the article written by Dan Goodin in the Register, I discovered that the act of posting in forums came about AFTER the employee tried to resolve the problem, internally:

Other security issues included a store server that was running in administrator mode, making it far more susceptible to attackers. He said he brought the security issues to the attention of a district loss prevention manager name Allen in late 2006, and repeatedly discussed them with store managers. Except for a stretch when IT managers temporarily tightened password policies, the problems went unfixed.

After posting on the forum (http://sla.ckers.org/forum/read.php?13,15148,page=1), the boss of one of the people Benson reported the matter to summoned him into the office and terminated him.

I suppose we could all argue that posting this information in a public forum is dangerous. Saying that, Benson did try to report the matter through his internal chain of command and nothing was done?

Maybe it is because the people, he reported it to aren't IT savvy enough to realize how vulnerable TJX's systems are when they are left unprotected like this?

Even if a hacker didn't compromise the system, it is feasible that a dishonest employee could gather quite of bit of information and sell it? Carder forums -- where personal and financial details are bartered over cyberspace -- are well known and not very hard to find.

Please note, I wrote IF a hacker didn't compromise the system. I'm just pointing out stealing information wouldn't take a very sophisticated hacking job given the opportunities described in this instance.

They might even post (anonymously), how easily they got the information in hacker forums. Sadly if Mr. Benson had been more anonymous, he would probably still be employed. I guess it doesn't pay to be honest in cases like these?

My post just before this was about another revelation (pun intended) that not all data breaches are being reported. I tied this post into two stories. One was about the lack of reporting, and other one was recent reports about Finjan finding crimeservers via simple searches that contain a lot of information that could be used to commit a host of financial crimes.

Interestingly enough, the crimeservers (available to anyone on the Internet) weren't "password protected," either.

So far as Mr. Benson is concerned, I wonder if TJX was required to maintain a confidential hot-line and if he ever reported the matter there? Although, I'm not a lawyer, I also have to wonder if federal laws protecting "whistleblowers" apply here. More information on whistleblower laws can be seen on whistleblower.com.

It's a crying shame that the powers that be at TJX didn't value the fact that an employee was trying to show them where they might receive a lot more unfavorable public exposure by compromising their customer information.

I'll close with a supportive comment from the editor at SANS:

[Editor's Note (Schultz): Once again TJX is proving itself to be a villain. Interestingly, I still sometimes shop at a TJ Maxx or Marshalls store, but I always pay cash--I would never use a credit card because of TJX's huge security deficiencies. And if Nick Benson reads this comment, I would encourage him to contact me, because I will do everything in my power to help him find another job. ]

PS: I would like to add that I'm pretty sure there are companies out there that would value an employee, who brought matters like these to their attention. They might save them millions of dollars in the end when you consider the cost of recovering from a data breach.

As a disclaimer, TJX's side of the story is unknown, but according to the Register article when they were asked they would not comment on the matter.

FBI is going after Internet crime in Russia and Romania

A lot of experts believe that carder forums (selling stolen personal and financial details) are run overseas by Romanian and Russian organized crime.

Nate Anderson (ars technica) wrote an interesting article about this, where he said:

One American in Virginia, who goes by the Internet nick "John Dillinger," agreed to cooperate with "vendors" from Eastern Europe. These groups "acquired" credit card numbers, then sent them by e-mail and instant message to Dillinger, who then encoded them onto credit cards. He then took these credit cards to ATMs and made cash withdrawals; a percentage of the money was then sent back to the "vendor" and Dillinger kept the rest. Dillinger was eventually busted by the feds, though, and was sentenced in February 2007 to 94 months in jail.

This is a good example of how the Internet is enabling a global identity theft crisis.

Apparently, the problem is big enough for the FBI to send assets to Romania and Russia to go after the problem.

Of course, since most of the stolen information comes from the West, I guess that it means the Russians and Romanians are sending assets abroad or recruiting them there, also.

Nate's article, here.

In the past few days, 6 arrests in Florida are being tied into the TJX data breach (which might be the largest known compromise) to date.

Although, no one seems to be saying for sure, I doubt the six arrested are the main players in the TJX breach. They probably purchased the information, elsewhere.

The total damage being reported in the Florida case is $8 million. The case was identified when the perps made some (extremely) large gift card purchases.

Maybe that's why they got caught, or they got (slightly) greedy?

IT also probably isn't entirely fair to keep publishing the TJX breach. Personal and financial details have been stolen from a LOT of places. The known places can be viewed at attrition.org, here.

This is a global problem and it's going to take a global effort to put a stop to it!

TJX's stolen data is being used - 200,000 accounts identified, so far

My guess is that the recent TJX data breach will prove to be the largest on record. Several sources are already reporting data from this breach is being used to commit fraud.

The Boston Globe is reporting:

The Massachusetts Bankers Association said yesterday that several banks reported fraud linked to debit and credit card numbers pilfered from TJX's computer system for unauthorized purchases made in Florida, Georgia, and Louisiana in the United States, and Hong Kong and Sweden overseas.

Middlesex Savings Bank is reissuing at least 20,000 Visa debit cards and had about a dozen suspected cases of fraudulent activity as far away as California and Japan, bank officials said. The bank said it costs at least $5 to replace a card, and many of the fraudulent charges were occurring at gas stations, discounters, grocery stores, and Internet merchants.

Boston Globe story, here.

This is likely the "tip of the iceberg" because a majority of the affected institutions haven't reported in yet.

Meanwhile up North, thousands of Canadian citizens have been affected. CTV is reporting:

Fraudulent activity has been confirmed on the accounts of thousands of Canadian credit-card holders who had their information stolen during a security breach at the U.S. parent company of Winners and HomeSense.

CTV story, here.

My advice is that if you have shopped at a TJX company recently - watch your statements, carefully.

Especially, if you have a debit-card. Debit cards aren't protected as well as credit cards. Tom Fragala (Truston Identity Theft Services) has a great post on his blog about this, here.

Tom developed this service from a victim's standpoint and has helped many victims, both personally and with his well-known commentary on the subject.

If you are a victim - I can personally recommend his services - which don't expose your personal information (again), also.

Here is my previous post on the TJX data breach:

TJX named as point-of-compromise in International …

People are getting tired of having their personal and financial information stolen

Are people beginning to get sick and tired of discovering that their personal and financial information has been exposed?

Employees at Xerox are picketing their office in Oregon because it took four months for anyone to be notified that a Human Resource's Manager lost a laptop with their personal information on it.

Many of the employees (rightfully feel) that an offer of "free credit monitoring services" is coming four months too late, and are wondering why their information was stored on a laptop?

KOIN 6 News story, here.

With the news that TJX has potentially exposed millions in several countries by having their systems hacked, we are likely to see more and more people speak out!

Of course, we could ask Martha Coakley, who was just sworn in as the Attorney General in state of Massachusetts. Ms. Coakley recently discovered someone was trying to use her credit card to buy a Dell. Her comment was that the chances of catching the crook "are slim to none, since even if they could link it to a person, jurisdictional issues would likely hamper an effort to prosecute."

Boston Herald story, here.

Maybe the problem is that there aren't sufficient laws to protect people's (personal and financial) information, or go after the people - who steal it?