Over the last few days there have been a lot of headlines about how the US has cracked the biggest ID theft ring ever. Frankly it’s a load. Biggest? Perhaps. ID theft? Only by the worst definition. The suspects in question are alleged to have stolen 40 million credit card numbers by breaking into retailer’s networks. (Most notably the much maligned TJ Maxx). The problem is that the US government defines stealing a credit card number as identity theft. This is the most inclusive definition but it’s also the worst. If someone steals your credit card number you simply cancel the card and are not held responsible for the fraudulent charges. No one can wreck your credit score or open a line of credit in your name. (For that they usually need your social security number.)  Including credit card numbers in ID theft numbers artificially inflates them and makes for great scare tactics from companies like lifelock, but doesn’t actually measure the real risk to your credit score. Some organizations that have no vested interest in scaring you (like the privacy rights clearinghouse), but most simply use the largest and scariest number possible. It’s time for this tactic to stop. Stealing someone’s credit card number is not the same as stealing their identity, and if reliable crime statistics are important, then we need to stop equating the two.

A few other people have been all over this already, but TJ Maxx, victims of a rather large electronic break in a few years ago, has recently fired an employee for revealing many of their lax security policies. The issues he raised were not small ones either:

Security was so lax at the TJ Maxx outlet located in Lawrence, Kansas, that employees were able to log onto company servers using blank passwords, the fired employee, Nick Benson, told The Register. This policy was in effect as recently as May 8, more than 18 months after company officials learned a massive network breach had leaked the details of more than 94 million customer credit cards.

Other security issues included a store server that was running in administrator mode, making it far more susceptible to attackers.

My store manager even posted the password and username on a post-it note.

Lest anyone think this employee started off on the wrong foot, he did try to tell management first, but to no avail. It was only afterwards that he mentioned these things in public. Now whether he should have done this or not is clearly a matter that could be the subject of much debate. The issue which I feel more strongly about is the way TJ Max responded.

Firing this employee is, in my opinion, the worst form of security-through-obscurity. Rather than realizing that lax policies lead to security problems, they think that it’s the revelation of lax policies that lead to security problems. A simple root cause analysis should reveal that it’s the policies, not their revelation, which is the source of security weaknesses, and it’s time for TJ Maxx to wake up.