Security Strategy, Plan, Budget

Right thing, wrong way

The TJX Companies is likely to receive a good deal of backlash from the media for its latest action -- it just fired a whistleblower for making public certain of its internal security policies.

Nick Benson, who was employed at a TJ Maxx in Lawrence, Kansas, frustrated that his warnings about lax information security were being ignored by his bosses, communicated his irritation on a hacker blog.

The University of Kansas student, posting with his hacker name CrYpTiC MauleR, pointed fingers at the company's lax password policy, its server security settings, and the technicians with hardly a clue who came in to install firewalls at the company's stores.

For example, Benson said, “Being an employee of TJX, it's amusing to see what bad security practices they did before their major breach and still do after.”

Not that the company can’t withstand some bad press. The breach Benson refers to, in Jan. 2007, was reported to have exposed as many as 94 million credit and debit card accounts, and cost the clothing retail company tens of millions of dollars in legal settlements. But it seemed to have little effect on sales.

In fact, customers showed little concern following the transgression. Many were obviously more attracted to a sales offer the company issued along with an apology, than to any worries of having their credit card info stolen by hackers.

According to published reports, what led to the breach was the company’s failure to secure its Wi-Fi network. The Wired Equivalent Privacy protocol the company used reportedly offers inadequate protection and opened the door for hackers -- using a basic, telescope-shaped antenna and a laptop -- to steal data flowing through a Wi-Fi network at one of the company’s units near St. Paul, Minnesota.

The hackers, said to be Romanian and Russian organized crime groups, also created their own TJX accounts by piercing the TJX central server in Framingham, Massachusetts.

Following this major breach and all the attention it received in the press, Benson was obviously trying to do good by asking for help in fixing a problem that could affect TJX customers. But his approach did not go through the proper channels and he was guilty of transgressing company policy.

While TJX is repeatedly held up in the press as a poster child for data breach infractions, it did attempt to respond to legal requirements to ramp up security on its network, installing stronger firewalls.

But, Benson was reporting that the firewalls were inadequate. The company might have benefitted by listening to CrYpTiC MauleR when he first approached them with his information.

Yes, he violated company policy by discussing internal policies, but hopefully he’ll end up in a better place -- a place where IT warnings are heeded, where strategies can be found to respond to challenges, where corporate support is offered and where the security of customer information is considered a priority.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.