« PCI DSS compliance: Web application firewall or code review? | Main | Cool hack: Man exploits random deposit verification flows to steal $50,000 »

How NOT to handle finding vulnerabilities at your company

UPDATED Link to Steve's interview with CrYpTiC_MauleR added below.

At first I wasn't going to post about this but since it doesn't seem to be dying I will. Long story short

1. A Low level techie finds weaknesses/vulnerabilities at the company he works for (TJX)
2. ?He reports these issues to who he thinks should be aware?
3. His attempts fail, he decides it would be a good idea to post them to a public 'hacker' forum (ha.ckers.org)
4. His employer (TJX) discovers the posting, tracks down his IP, and contacts his ISP to discover who posted the details
5. Employee goes to work, gets fired when it was discovered that he posted the details.
6. Public outcry that the employee was fired, and that they tracked down the IP that posted the info

The reason for this post is #6 and the fact that people are actually upset about this. In a nutshell

1. Infosec at TJX wasn't doing their job otherwise issues such as blank passwords wouldn't be an issue. Someone is going to fall.
2. A random low level techie shouldn't be able to find these sorts of issues at a financial company.
3. The fact that this *low level* techie found these sorts of issues is unforgivable given that this company had a massive breach.
4. It is perfectly reasonable for the company to track down hostnames of those leaking confidential company information.
5. If people aren't listening to you, go upwards. Email PR, lawyers, and Directors/VP’s. Do this formally in email so there is a documented paper trail. Once those up the chain start getting informed about major ‘preventable’ liabilities they must act otherwise they may be personally liable for doing nothing. In TJX’s case they are under investigation for related issues so they can’t ignore them.
6. If after emailing high up people in your company and they still ignore you, contact the FTC (http://www.ftc.gov/ftc/contact.shtm) anonymously.

Moral of the story, don't leak confidential company info on hacker forums and complain when you get fired. For his sake I hope he isn't sued for 'damages'. Much more information at the Infoworld link below. More opinions at the hackers forum.

Forum Link: http://ha.ckers.org/blog/20080522/tjx-whistle-blower/
InfoWorld Link: http://www.infoworld.com/article/08/05/23/TJX-staffer-fired-after-discussing-security-problems_1.html
Interview Link: http://www.thetechherald.com/article.php/200822/1088?page=1


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!