Former Employee Says TJX Security In Lawrence, Kansas Is A Joke

Remember TJX’s gigantic security breach problems last year, where data on 94 million accounts was stolen? Good for you, because apparently TJX doesn’t. A former employee of a TJX store in Lawrence, Kansas was fired recently for posting anonymous complaints online about the current sorry state of his store’s security, which included the store manager writing server login and password information on a sticky note, and the store resetting employee passwords to blank fields.

According to The Register,

Benson’s May 8 posting was prompted by news that managers had changed the password for employees to access the store server. Inexplicably, it was set to blank. When Benson first began working for TJX, his password was the same as his user name, he said. Then came word in January 2007 that unknown hackers had brazenly intruded on the company’s network over a 17-month period. For a time following the disclosure, TJX employees were required to use relatively strong passwords. The change to a blank password clearly represented a step backward, Benson thought.

TJX says the former employee divulged confidential information, but Benson claims that he’s acting as a whistleblower to get them to improve their security:

“My information is still on that server,” he continued, referring to the machine that sits in an office at the TJ Maxx where he once worked. “So if their network is insecure, then my information is insecure. I’d prefer they get it fixed.”

“TJX employee fired for exposing shoddy security practices” [The Register] (Thanks to Will!)
(Photo: crazytales562)


Edit Your Comment

  1. BloggyMcBlogBlog says:

    Where is TJX on the worst companies bracket? This is Final Four material here.

  2. sleze69 says:

    Too bad Walmart defeated them in the first round. This would have definately helped in the fight vs. Citibank.

  3. musitron says:

    As an IT admin by trade, I understand how this happens: It’s just “easier” to do things the lax way, to not train people, and pretend that a five year old couldn’t “hack” their network.

    What I don’t understand is how the corporate parents have failed to notice that the cost of implementing proper security procedures, training the employees to use them, and promptly making examples out of people who (willfully or not*) break the rules is FAR LESS than the cost of paying for months of identity monitoring, credit checks, etc, of customers’ identities you’re leaking, not to mention those customers are likely never shopping there again, nor are their friends, families, or anyone with half a brain.


    * Just so you know, I would gleefully fire an employee that subverted security guidelines, whether they claimed ignorance or not. To me, ignorance of computer security is even worse than willfully violating computer security policies. See [] for proof. =}

  4. midwestkel says:

    Thats awesome security practices!

  5. Balisong says:

    TJMaxx is abbreviated TJX? I didn’t even know who was being talked about here until I clicked a link to previous stories…

  6. neuman1812 says:

    After the original theft at TJX the main office went into overdrive. I was one of many(over 200) LP* consultants brought in. I spent one month in that office before quitting…

    The security there is a joke.. old crappy windows machines as servers and on the registers.. Encryption failed at every turn, admin accounts left open on main computers. Most of my job was spend fixing things by “hacking” my way around their security with some simple dos Commands.

    LP=Low paid

  7. neuman1812 says:

    FYI TJX also includes

    Winners (canada)
    Aj Wright

    They all have the same crappy encryption and password schemes..

  8. cef21 says:

    Um…. So, it seems to me that passwords, even obtusely stupid passwords, are confidential information. TJX was right to fire him.

    If he wanted to be a whistleblower, he could have gone to TJX’s chief information officer, the CEO, or the lawyers who represented them in the settlement. If those didn’t work and he was concerned about public data, a next good step would have been his state’s Attorney General.

  9. neuman1812 says:

    Problem with that statement. He didnt post any passwords (smart move there)

    And contacting the CEO or CIO….as a former consultant that worked in the IT department.. Good luck, I suggested that at one point but was written up for “not following procedure..”

  10. toddkravos says:

    The problem itself is confidential and by posting it on a website he essentially put the trust of the company at risk by exposing confidential company information.

    Yes, I know that the company already shot themselves in the foot with regards to public trust a year or so ago but, he too shot himself in the foot.

    He should have started with HR and proceeded up the chain if needed.

  11. MumblesFumbles says:

    There is a right way and a wrong way to handle a security breach. He chose the latter. Clearly, this person did not find the appropriate contact to report the issue to at corporate. Regardless of whatever his managers were doing wrong (and frankly in my book they deserve dismissal for violations of what most certainly must be corporate security policies) his mistake was to name the company in a public place. The root issue is that he broke a company policy which forces the company to discipline or else it makes the policy unenforceable in the future.

    The other issue I still see (sadly) with TJX is that it appears that there isn’t a risk management or auditing program that finds and corrects these issues? Where is the security awareness training (and why aren’t they testing to ensure the managers “got it”?).

    The bottom line is that all these things (security, risk management, etc) are all viewed as cost centers. They don’t add to the bottom line and probably are not given the due attention required. TJX is surely not alone in this regard.

  12. thrillwill says:

    @MumblesFumbles: ‘The root issue is that he broke a company policy.’

    The root issue here is that TJX is NOT taking this seriously and would prefer to fire him instead of incurring the costs of upgrading hardware, software and talent.

  13. pgh9fan says:

    Both my debit card and credit card were compromised thanks to TJX. I complained. They did nothing. I was really perturbed that they knew for one month and didn’t tell their customers so they could help the police. I really appreciated being used as a guinea pig without my knowledge. I haven’t been back since.

  14. Coles_Law says:

    Wow. I live in Lawrence and didn’t even know we had a TJ Maxx. They may not safeguard their passwords, but they sure keep the store hidden well.

    I’m surprised their security system even allows for a blank password.

  15. persch5 says:

    What everyone fails to realize is that working in a retail store he would have been fired no matter what course he took. Causing waves publicly is the same as doing it to your store GM. If you do it they can always find a reason to get rid of you.

  16. + says:

    Wow, the only thing I saw was the “Always something ew” in the picture. Whenever I go to ANY of those stores it’s dirty and messy with the exception of one BOBS.

  17. cef21 says:

    @neuman1812: Here’s one of the posts:

    So the store I work at the password to remotely desktop to the store server before the breach was the same as the username, then after the breach it was changed to a variation of the old password. Today I learn that the password has been changed to a blank password. WTF??

    Sounds like confidential info to me.

  18. joellevand says:

    Regardless of whether the guy should have been fired or not, WTF TJ Maxx? Didn’t one security breech teach you that lax IT security is not only bad for shrink, it’s bad press which is bad for business?

  19. Bubarubu says:

    @Coles_Law: The store is between Michaels and World Market on S. Iowa, across the street from Target and Home Depot. I’ve shopped there, and recently, and am most surprised that this story made a British paper and Consumerist, but not the local paper. I’m working on fixing that problem as we speak.