Following TJX's major loss of credit card data last year, the company implemented a series of internal changes that were meant to make it more difficult for theft to take place again in the future. The only problem was that the implementation was not exactly ideal and at least one TJX employee identified this and made an effort to report the situation internally. When faced with no response from the company, he chose to release the information publicly.
Even though it took nine months for the company to catch up, the employee has recently been fired for releasing the information.
A little security awareness in the wrong place at the wrong time can have catastrophic consequences, as the TJX employee found out to his disadvantage. Unfortunately for him, he was the main contributor to his own downfall, by releasing more and more detailed information about internal system setup and administration.
An analysis of the information posted to the sla.ckers.org forum shows that he was concerned about the security of the data being placed on systems that were clearly not compliant with the specifications that the company claimed to be adhering to (PCI being one). Given the nature of the information being placed on the systems and the recent major loss of related data, it would be natural to assume that the new data would soon be compromised as well.
The other striking thing that the analysis shows is that the information released was far more detailed than necessary to alert of a security issue. Why a general store employee had access to this level of information is a question best left to TJX to answer but it does suggest serious problems with their internal data systems and networks.
For Information Security researchers that have an established record of credibility, the decision to release sensitive information about a client that is refusing to accept guidance is potentially damaging to their reputation and future work prospects and demonstrates an inability to recognise and set sensible ethical limits.
If you do find yourself in a similar situation, where you have noticed something seriously wrong with your company's IT systems and the IT department is not going to fix it (or has threatened various nasty things) and appealing to management hasn't worked then there are still options available that prevent you paralysing your career. The most important thing to do is to maintain a secure trail of evidence of what you reported, to who, when, what their response was, and make sure that it is properly documented.
If it is a public company then contacting the company C-level executives will put it in front of people who could have a personal liability if issues are not addressed, but this leverage is less within a privately held company even though the owners have more of a financial liability. If job security is a concern, there are a number of free webmail providers that can provide anonymous means for contacting people.
Lastly, be responsible for your actions. If you were doing something you shouldn't have, then own up to it - the earlier the better. Be prepared to find yourself in the midst of the Disclosure Dilemma and accept that, sometimes, for no good reason, some things will never get fixed.
For most people, the stages of Disclosure are:
- Reporting to the vendor
- Ignoring of the report by the vendor (or, just as likely, legal threats)
- Public Disclosure
- Vulnerability fixed (usually with no recognition of earlier process)
The Dilemma is whether the public disclosure of information will hasten the fixing of the vulnerability or worsen the threats/abuse from the vendor, or whether it will subvert the vendor's attempts to fix it.
Fortunately there is a simple way to remove the Dilemma. If you have an issue reported to you (as a vendor or otherwise), keep the discoverer informed of what is going on, and at least be civil with them. A lack of information and threatening or abusive behaviour is the best way to have your vulnerabilities exposed for the world to see.