TJX whistle blower sacked?

TJX whistle blower sacked?

Summary: TJX, the retailer that was hit with a major security breach, has sacked a whistle blower who was exposing the company's security issues.According to the ha.

TOPICS: Security

TJX, the retailer that was hit with a major security breach, has sacked a whistle blower who was exposing the company's security issues.

According to the site:

I had some very disturbing news today from one of the forum users - he had just been fired by TJX for whistle blowing on their security issues. CrYpTiC_MauleR, who’s posts on TJX can be found here was fired today by TJX for talking about the company’s security flaws. This is the same company who recently lost millions of credit card numbers, for those of you who don’t recall. They tracked him down by IP (we’re still not completely sure how they did this, but we think it may have to do with a DynDNS account he uses), contacted his ISP to find out who he was, brought him into the office, questioned him about what he found, asked for him to write down his thoughts on how to fix the issues and then promptly fired him.

I completely understand why a company would want to reduce their risk, but this doesn’t bode well for future would-be whistle blowers, or for the future state of security for TJX. CrYpTiC_MauleR has been a long time poster on and has made a lot of contributions...

Now this is all a little bit hard to verify--it's not like TJX (all resources) is going to talk about personnel issues. Meanwhile, the full name of CrYpTiC_MauleR isn't known. However, we have it on good word that this actually happened.

And now for the big question: Should this whistle blower been fired? I'd have to argue that TJX was right to fire CrYpTiC_MauleR. It's noble to be a whistle blower. It's another thing to disclose internal information in a hacker forum--especially as TJX was trying to recover from its security breach.

What's your take?

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • ...

    Correct me if I am wrong but I thought that whistle blowers had legal protection against this type of behavior. ]:)
    Linux User 147560
    • Sort've...

      Whistle blowers are protected if they are reporting a company's crime to the press or a law enforcement agency. While TJX may have been stupid because there are security holes, there is nothing illegal about it.

      This employee should have been bringing this up with his management. If there was another security breach, it would be on their heads, not his.
      • I agree, otherwise

        a disgruntled employee could give away security measures on line in hope that someone breaks in and does damage, then hide behind the line "I was acting under the context of Whistle Blower" when he is cuaght.
      • Management?

        While I'm not disagreeing in principle, and we do not know all the facts of what he did and did not attempt to do, it is my experience that these sorts issues are the result of management choices. Bringing the security issue up to the people who made the choices that created the issue in the first place could also get you fired.
    • not in private sector

      Whistleblower protection laws, where they exist, have largely only been written for public sector employees - government, state universities, companies with defense contracts, etc. There's nothing preventing a private-sector company from firing an employee for any reason.

      That's not to say that even the public-sector protections are all that secure - just ask the guy at the FDA who spilled the beans on the Vioxx coverup. Oh, wait, I'm not sure he works there any more.
  • Why not whistle blower use a proxy?

    That way, his ISP's IP address can be shielded and may remain anonymous?

    It will make it harder for someone to track him down! :)
    Grayson Peddie
    • Ditto

      I wholeheartedly agree with you. If he had done as you suggested and let the company know of there security problems, he might have been promoted.
  • Not a Whistle Blower

    I don't think you can call him a Whistle Blower. He got on a website and disclosed details of security problems with the company that he works for, but did not report them to the correct people. I don't think it was a bad idea to discuss the problems on a website, but he did not need to expose the companies name to do such.

    "I work at a company that recently had a large lose of corporate computer data stolen, and I found that ......."

    If he did the above, he could have gotten some good advise, and not throw his company under the bus. Instead he disclosed passwords and what computers they would work on, and also exact names of outdated software that could also be used for other exploits.... not the best idea of the week.

    He got fired for GOOD cause.
    • I agree.

      A whistle-blower reports security issues internally first.
      Then, if they can't get action taken internally, you report to
      official government agencies and national press. Not a
      hacker forum. I suppose he couldn't get the company to
      listen because it appears he was an employee in an
      individual store and it's hard to get a big company to
      accept that the low-wage employees in the stores have any
      information the CIO might need. The assumption in upper
      management is usually that if you're that smart you
      wouldn't be working for minimum wage. The concept that
      these people might be quite accomplished script kiddies (if
      you write code well enough for the "hacker" moniker you
      do get a job in the IT industry making more than minimum
      wage) who could offer advice on security often escapes
      them. Still, he should have handled the issues through
      proper channels if he wanted to keep his job. TJX was
      100% correct to fire him.
  • RE: TJX whistle blower sacked?

    Do we really know who or what he tried to report this too? I think that is the real question and if he did would the company admitt they had prior knowledge? NO... In some companies I have seen people singled out for reporting flaws. I do agree that he should have exhausted every internal resourse to gain attention to the issue.
    One problem I see in this industry (InfoSec) is how a company will try to cover up its involvement in security issues. Yes this could be to protect itself. Is that protecting itself from what it ignored or what it didn't look for? TJX went to the whisle blower to find and fix the issue. It would seem company IT security staff had no clue of the risk and was either in denial or like most of us under staffed. Regardless, what happened at TJX demonstraighted what can be seen industry wide. A lack of understanding in balancing business with security and security usally looses. I think there are several thousand credit card customers that are thankful to him for what he did and if nothing else he did raise public awareness.
  • RE: TJX whistle blower sacked?

    I agree. Spreading that type of info not only hurts the company but could allow others to exploit these flaws and harm may people.
  • RE: TJX whistle blower sacked?

    As an IT whistleblower that spent the last 3 years of my life in litigation against my former employee, I feel for this guy. In response to this I wrote a 7 steps to successful whistleblowing for IT professionals - it can be viewed at
  • RE: TJX whistle blower sacked?

    Erm, has anyone read what he's actually said? The information is way too general to be of any real use to anyone... including hackers. 'Their passwords are too simple to be safe' - not a lot of information in that! I don't think disclosing such shallow and undetailed information can be called whisteblowing. It's pathetic to sack him for that and the company just comes out looking over-authoratative and paranoid... their security has proved poor in the past and they know they're in the wrong, sacking this guy is just pathetic retaliation.
    Infosys employee