|
TJX Dinged Over Security-Related Firing
By David Utter - SecurityProNews
May 29, 2008
 A former employee of TJX, which suffered one of the hugest security breaches and exposures of consumer information in recorded history, claimed he had been fired for whistleblowing the company's practices.
Abysmal password policies alleged by ex-staffer Nick Benson motivated him to discuss those problems on a security forum. Benson's postings caught up with him, resulting in his firing for exposing confidential TJX information.
The Register said Benson pointed out on Sla.ckers how security practices at TJX did not seem to measure up, in the wake of the enormous exposure of credit card data to external hackers.
Evidently, TJX allows store terminals to connect wirelessly to another server. Before you security pros do a synchronized facepalm, Benson also said TJX permitted blank passwords for accessing a company server.
Yikes. He also said his manager kept her username and password in the notorious method of managers everywhere - on an easy to find PostIt note.
After venting a few times on Sla.ckers, The Register said TJX tracked Benson down and fired him over his posts. Some of Benson's commentary suggested firewalls were not in place for some TJX network resources prior to the security breach.
Benson's firing highlights a broader issue for security pros, one that we've wrestled with understanding briefly. People who do not work in a technical capacity, or have an interest in such issues, seem to demonstrate an inability to appreciate the dangers of the Internet.
We think this is due to a lack of a "hot stove" response to doing something stupid, like leaving a password on a sticky note. For those of you unfamiliar with the "hot stove theory," it goes something like this: someone will stubbornly touch a hot stove one time; they receive immediate, painful feedback that touching a hot stove is very very bad, so they don't do it again.
A blank password presents no real threat to whoever is in a capacity to permit it. If it did, such as the person allowing it on a corporate network being fired in a public manner, we wouldn't see these things ever happen.
It goes that way for various other online threats. Spend a day telling people not to click on links in messages from people or companies they do not know, and they'll do it anyway. When they do, they'll get someone else to clean up the mess. Lesson not learned.
The issues at TJX sound much deeper, and worryingly unresolved, nearly three years after their big breach. If they spent as much time and effort at instilling best practices among those who access its network as they evidently do on reputation management (which could be zero if they're using a Google or Yahoo alert for their name as a keyword), there would be no need for a Benson to post about such concerns.
About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews. |
