TJX Fired Employee Who Exposed Their Lack of Security
TJS, the company where the world’s biggest data theft involving credit card information occurred, fired an employee who exposed the company’s faulty security practices by leaving posts in an online forum. The story of employee showing how easy it was to breach TJX was made public by the Register.
Security was so lax at the TJ Maxx outlet located in Lawrence, Kansas, that employees were able to log onto company servers using blank passwords, the fired employee, Nick Benson, told The Register. This policy was in effect as recently as May 8, more than 18 months after company officials learned a massive network breach had leaked the details of more than 94 million customer credit cards. Benson said he was fired on Wednesday after managers said he disclosed confidential company information online.
Other security issues included a store server that was running in administrator mode, making it far more susceptible to attackers. He said he brought the security issues to the attention of a district loss prevention manager name Allen in late 2006, and repeatedly discussed them with store managers. Except for a stretch when IT managers temporarily tightened password policies, the problems went unfixed.
According to the Register, Benson’s posts never revealed enough information to actually facilitate a security breach at TJX Maxx, but that didn’t really help him keep his job. All for the best, if we consider his statement:
“They’re telling the public they’re PCI compliant,” he said, referring to so-called payment card industry security rules governing businesses that accept credit and debit cards. “That I think is unethical.”
He also admitted he hasn’t acted out of selfless motives. As he pointed out, he still has private records stored on the TJX network. A faulty security system would expose him as much as any other employee or customer.
