TJX fires whistleblower – was it justified action or something else? (Update)by Steve Ragan - May 28 2008, 01:00
TJX removes person for airing dirty laundry. (IMG: J.Anderson)
Over the Memorial Day weekend, The Tech Herald interviewed Nick Benson, a current student at the University of Kansas. Known to most as CrYpTiC_MauleR (CM), his story is one of good intentions gone horribly wrong. CrYpTiC was a time clock employee of TJX. He noticed security problems, and reported them both internally and externally. The external reporting, to a known forum dealing with security issues, is what cost him his job. TJX, apparently not happy he was talking, quickly removed him from payroll.
TJX, to rehash, is the company who left over forty million credit cards and debit cards at risk because of poor network security. TJX used weak WEP wireless encryption, which led to network intrusion, and the capture of the card information as it was in transit on the network. The story surrounding Benson starts on August 22, 2007. This is when Benson, better known as CrYpTiC_MauleR, posted to the sla.ckers.org forum.
His post, titled “TJX Still Lacks Security,” pointed out some interesting observations from the view of a normal time clock employee. In his first post on the subject Benson pointed out, “Being an employee of TJX it’s amusing to see what bad security practices they did before their major breach and still do after.” Adding, “Recently they started to add Cisco firewalls to their stores, it’s about time, but the technician from Fujitsu that came to one store did not know what he was doing. He said it was his first time setting up one of those firewalls, and then said he didn't know what he was doing and he thinks he set it up right. He even ended up asking a cashier about the computer's setup, as if he/she would know. Now judging from this does this sound like progress in securing a company's IT infrastructure?”
“Its good to know I never use anything but cash at their stores, but its hard to sleep at night knowing the same network stores my employee information. For all I know that information has already been picked cleaned by the hackers and company could have swept it under the rug. Looks like I'm looking for a new job =oD,” he ended his first post.
Benson ended up keeping his job for awhile. He told The Tech Herald in an interview that, “I have to say I did enjoy it to a degree. My job tasks did get hectic at times, but the employees working their including certain store managers were some of the nicest people I have ever worked with. Other than that, I did get frustrated time after time knowing my information and even customers information was not being seriously protected. Being into information security it was a bummer to know that fact and still work there. The more issues that came to light the more I disliked working there. I mean would an animal rights activist be happy working at a slaughterhouse?”
The conversation on the forum continued as Benson took more questions from others while pointing out more observations about the company's security. “Well the TJX stores use a central server where all registers, markdown equipment etc all communicate with wired or wirelessly. The server sadly is run under admin and has windows network shares not to mention a shitty password. One scary thing is that the server for some odd ass reason has Adobe PDF reader on it, as to why a server would need that I don't know, but the worst part is it is version 5.x. So who knows what other software including the OS is not up to date and protected.”
He makes another observation, “[TJX] has told the press it is now PCI compliant, but doesn't requirement 6 of PCI state that systems must be up to date with all vendor supplied security updates?”
According to court documents dated October 22, 2007, TJX was in fact not PCI compliant. The documents explain that TJX failed to comply with nine out of twelve PCI requirements. Most of the failures were "high-level deficiencies," according to statements made by an unnamed witness.
Other areas of interest from the witness explain that, “After locating the stored data on the TJX servers, the intruder used the TJX high-speed connection in Massachusetts to transfer this data to another site on the Internet… 80GigaBytes of stored data improperly retained by TJX was transferred in this manner. TJX did not detect this transfer.”
In 2004, before the theft of the card holder data, TJX was made aware of their PCI failings, the witness said that the report, “identified numerous serious deficiencies at TJX, including specific violations. TJX did not remedy many of these deficiencies.” Adding that, …” he had never seen such a void of monitoring and capturing via logs activity at a Level One merchant as he saw at TJX.”
Tied to this, another interesting post by Benson pointed out the password schema used by TJX.
“So the store I work at the password to remotely desktop to the store server before the breach was the same as the username, then after the breach it was changed to a variation of the old password. Today I learn that the password has been changed to a blank password. WTF? You would think they would learn from their mistakes, I assume they must think now that they have the above mentioned firewall in place they don't need a strong password or they are just lazy. I am not sure if this is just an isolated incident within this specific store, but it goes to show that you can't trust a company to protect your information, especially TJX. Today was a very sad day for me…”
The store, T.J. Maxx at Pine Ridge Plaza in Lawrence, Kansas, had the same type of weak internal security that led to the original TJX theft. According to a 2007 Wall Street Journal story, investigators in the TJX case said that it is likely that criminals sat in a Marshalls store parking lot and used directional antennas to capture wireless traffic. The store located in Minnesota used WEP (Wire Equivalent Privacy) to secure the transmissions from the stores credit card processing hardware.
Other reports said that the attackers planted programs into the network to allow access, or hijacked valid user accounts for access. Later, using the discovered access, they were able to enter the network and remove the personal data. Investigators told the Journal that the St. Paul, Minn. Marshalls location was running a wireless network protected by the weak WEP (Wired Equivalent Privacy) standards. Standards that have since been superseded by Wi-Fi Protected Access (WPA) protocols, argued as stronger methods of protection by many security experts.
Benson, for the record, is not an IT employee for TJX. In his interview with The Tech Herald, he explained his role, “I did cashiering, markdowns, cash office and other misc. low level jobs at TJX.” However, he has a stated interest and a demonstrated knowledge of IT and security. Several people on the forum told him he should move up in the company and help correct the issues.
While Benson was attempting to inform higher-ups in the company about the security problems, he was still posting to the web his day to day security observations, “I told an executive loss prevention manager about the username being the same as the password months before the breach occurred, of course he didn't do anything. I am not an IT tech at this store just an average employee so my opinion or advice does not mean shit when I do tell people who have the power to make any changes.”
When asked who he spoke to specifically about the security issues, “The store managers about many of the issues, and the initial password issue to the highest person up I knew who I thought could deal with these issue was the District Loss Prevention Manager. He said it should not be that way and said he would look into it, of course the password wasn't changed until months after the breach, mind you I told him months prior to the breach,” he said.
Later, Benson explained that the Loss Prevention manager would have been the person to talk to, as there is no access to a security department or other internal IT structure for normal employees at remote store locations. There were posted contact numbers, but little is known as to how effective they were.
On Friday [May 23], word was spread that Nick Benson was fired. He was terminated over his public disclosures and that news sparked a debate over proper methods of whistleblowing and disclosure policy. The first point made by many was that Benson had violated his NDA or Non Disclosure Agreement. He was asked if he was aware of any such agreement when he was hired on.
“I signed an employee conduct form and some form saying I agreed to their new information security policies after the breach. I am not aware of any NDA that I may or may not have signed. I have signed many things while at the store, and usually when there is something for employees to sign they call everyone at once to the office to have them sign it and quickly and I emphasize quickly explain what it’s about. Otherwise they call in on individual basis and have you sign,” he said in his interview with TTH.
TJX would not respond to requests for the terms of his agreement, or reasons for termination, at the time of publication. It is unlikely they will disclose any of the information with the press. Benson was also asked what he was told regarding the cause for dismissal. He explained that, “The cause for my termination was a 'policy violation' according to corporate office. It was employee policy not to disclose proprietary or confidential information. So going back to NDA I don't think an NDA was issued otherwise this would not be the reason for my firing as far as I am aware.”
What is interesting, is that apparently TJX asked Benson his opinions on security at the store where he worked, and after getting some ideas, they fired him. This was reported in several forums, and on the ha.ckers.org blog that broke the news. Benson was asked to confirm these reports, “I can't tell anything more than what is already said in the forum posts due to TJX legal threatening to take action against me for any further information of that nature being disclosed. I informed them of the password issues, the server running as admin, the un-patched software, and many other issues that related to physical and IT security of employee information as well.”
Robert Hansen, better known to some as RSnake, broke the news of the dismissal and offered some opinions on the matter. “CrYpTiC_MauleR has been a long time poster on sla.ckers.org and has made a lot of contributions. I, for one, feel terrible about what happened.”
However, in the comments section of his post, where a debate of NDA violations and full disclosure took place, RSnake had this to say, “You leaked confidential info on a public place about the company you currently work for. Good intentions or not you crossed a line. The larger the company the less tolerance they have for this sort of thing.”
“If people at your company are not listening go up the chain. Email PR, lawyers, and Directors/VP’s. Do this formally in email so there is a documented paper trail. Once those up the chain start getting informed about major ‘preventable’ liabilities they must act otherwise they may be personally liable for doing nothing. In TJX’s case they are under investigation for related issues so they can’t ignore them,” he added.
So was Benson wrong? Yes, in the terms of disclosure he was. He was fired for those reasons. He disclosed sensitive information about a company he worked for, and with whom he had privileged access. However, there is the lack of resolution offered to him that caused problems. In his posts to sla.ckers.org, there was no malicious intent. He pointed out things that he had seen, and that he had access too. He was not poking around in places where he was not allowed to go. He did this, only after he exhausted the channels of resolution.
Benson was asked in his interview if the security issues he noticed and reported on were apparent to anyone else. He said, “Some other employees who I discussed employee information not being protected understood the concerns and also did not like how their information was not protected well. These were like applications, W-4 or other papers with sensitive info like social security numbers being placed on desks in open view in office for any other employee to see.”
“Numerous times I saw other employee’s personal information due to such practices. I know for a fact I would not want some stranger seeing my info…My other issues with the IT security only managers and pertinent staff were aware of it when I brought it to their attention. This was primarily due to my position as a cash office associate. If I was not in cash office many of the IT issues I would never know about it, so reason only certain staff knew about those issues due to their access.”
How does Benson feel after all of this? He was asked that, and if he felt betrayed by the termination. “Losing my job is a setback and a hardship I have to endure. The point of the matter was bringing to light the issues of company that contradicted what they tell the public. I feel sort of betrayed that they first asked me what all the issues I saw and what was done wrong and then firing on the spot. With a good luck finding another job. Thanks for benefiting from me telling you all the issues then firing.”
“If the issues are fixed or not I have no way of telling. I do find it interesting that I was asked if I could delete the posts, I told them all I could do is make them blank. I was asked if I could even login to the site from the store manager’s computer, which of course I said no. After even making that request they still fire me? I feel no reason to remove the posts, not after firing and not to allow them to censor me. I guess their stance is if no one knows about it it’s not a security issue, because we all know that's how security is done,” he added.
The debate over full disclosure is one that will never end. It is fact that Nick Benson did both the right thing and wrong thing. He noticed issues, and reported them. However, when nothing was done he went public. Going public is a double edged sword. He alerted the public about his company’s security problems and listed examples of dangerous policy. However, this led to him losing his job. Some argue it could lead to legal action, but that is a stretch. Nothing in his posts can help an attacker break into the company network. Once on the network an attacker would not need Benson’s information to do any damage.
In this case, full disclosure is not like the normal security avenues, there is no software or hardware with problems, or vendor to report to before you go public. This case is an example of a company telling the public they have fixed security and are secure, and an employee calling them to the mat with observations that say otherwise. The poor security policy in place at TJX is what led to Benson making reports both internally and externally.
Was TXJ correct in their termination? Strictly speaking in a business sense, they were. They had every right to fire him over this. Was it a smart thing to do? Likely not, because companies do not like their dirty laundry made public, and this is exactly what happened.
The other question no one has raised deals with TJX’s corporate IT department. Where are they? Where is the district or traveling IT person to train store managers? From the outset of the TJX debacle, there is a clear picture that TJX’s IT department is not managing their network. Why else would they use WEP? Granted, IT might be hamstrung by desk-side managers, who have no real knowledge, and manage from manuals instead of experience. However, terminal access to remote locations with no password is clearly a lack of resources or intelligence.
After the theft was exposed, TJX made sure the press and public knew they were altering security. However, the public apparently was lacking all the pieces, and Benson knew this. It was, admittedly, one of the reasons there was public information posted about some of the security and PCI related issues in the first place.
What happens next? Benson is out of a job, and is currently on holiday this week. TJX is remaining silent, and aside from the termination will likely do nothing, and the debate over full and proper disclosure will continue.