This is just classic. A TJX employee, Nick Benson, was fired for posting about security issues on the TJX internal network to this sla.ckers.org forum. Nick attempted to report security issues to his management back in 2006 (before the massive TJX security breach) and nothing changed. Apparently things like having blank passwords on servers were in effect up until May 8th of this year! Some of the issues he identified are noted from the SecurityFocus article below:
“Security was so lax at the TJ Maxx outlet located in Lawrence, Kansas, that employees were able to log onto company servers using blank passwords.”
“…a store server that was running in administrator mode, making it far more susceptible to attackers…”
and my favorite…
“My store manager even posted the password and user name on a post-it note…”
So whats the issue here? Two things…sure, telling your management that there are security issues was the right thing to do. However, when nothing changes based on the information you told them then things need to be escalated to a higher level of management. I would hope that TJX has some sort of “ethics” or “privacy” hotline (most major companies have these and they are anonymous) that this guy could have called. How about doing some research within the company Intranet to find out who to contact…that would be an easy approach to take if your management is not listening to you. Secondly, not the brightest idea to post on a hacking forum to let the whole world know of these issues. This guy was easily tracked back to his real IP…heck he probably even posted from work which made tracking him even easier! If he was really serious about not wanting to be caught then he should have used Tor or some other anonymous proxy to setup the account and make those postings (keep in mind he was just a retail worker, no IT background so Internet anonymity was an afterthought). Either way, not a very smart thing to do.
I still find it hard to believe that the TJX information security department would have thought it was ok to have blank passwords to log on to servers! If so these are not security professionals in my book…heck, a bunch of script kiddies wouldn’t even use blank passwords! My guess is that the information security department never even knew about these issues. The “management” that he reported the issue to was actually the loss prevention department. The loss prevention department in retail and other companies mainly deal with preventing shoplifting and theft…really not the right people to handle information security issues. Regardless, TJX still seems like a security train wreck…they won’t be getting my business anytime soon.