TJX Staffer Sacked After Talking About Security Problems

A low-level TJX employee has lost his job for speaking in public about information security problems he uncovered while working for the company.

The employee, Nick Benson, is a University of Kansas student who worked at T.J. Maxx’s Pine Ridge Plaza store in Lawrence, Kansas. In an e-mail interview, he said he was fired Wednesday for violating corporate policy by disclosing proprietary information.

TJX is sensitive about information security after being the victim of a massive data theft, apparently made possible by poor security on the company’s wireless networks. That breach, which compromised 94 million credit and debit card accounts, has cost the company tens of millions of dollars in legal settlements.

Benson, also known by his hacker name, Cryptic Mauler, is a frequent poster to computer security discussion groups such as Full Disclosure and the Sla.ckers.org Web forum, where he criticized the company’s password policy, its server security settings, and the competence of the technicians who install firewalls at the company’s stores.

“I never use anything but cash at their stores, but it’s hard to sleep at night knowing the same network stores my employee information,” he wrote on Aug. 22, 2007. “For all I know that information has already been picked cleaned by the hackers and [the] company could have swept it under the rug.”

Although Benson didn’t disclose anything that would have been news to a “vaguely smart” criminal, he did make a mistake by not disclosing the problems he’d found through the proper channels, said Robert Hansen, the CEO of Sectheory.com and owner of the Sla.ckers.org site. He first blogged about Benson’s termination on Thursday.

Hansen said he felt bad for Benson, as did many of the contributors to his Web site. “He’s a young guy,” he said. “He didn’t know the rules.”

It’s an all-too-common story in the information security industry, Hansen said. “When people are new to information disclosure … they’re idealistic and young and they tend to make mistakes,” he said. “A good chunk of the people who sympathize with him have had almost exactly the same thing happen to them.”

Benson said he reported the issues to his store manager and the company’s district loss prevention manager but no immediate action was taken.

Just last week, Benson expressed concern that he might be fired for reporting the problem. “I don’t want to lose my job for reporting this,” he wrote. “Unfortunately anonymously reporting this will not work, since it would require me giving the store location which would then easily zero me out. “

Apparently TJX zeroed Benson anyhow, identifying him from the IP address he used to post his comments to the Web site, Hansen said.

The company met with him on Wednesday and asked him to explain all the security issues he’d found. After that, he was “fired on the spot,” he said.

TJX did not return calls seeking comment for this story.

Benson said the company has threatened to take legal action against him if he talks any more about the company’s security problems.