informa
/
Attacks/Breaches
News

It's Not Wal-Mart's Business

Alleged surveillance operation goes beyond the retailer's core competencies

3:50 PM -- I don't know which irks me more: the idea that Wal-Mart has been routinely surveilling employees, contractors, and critics, or the company's attitude that such activities are part of everyday business.

According to the Associated Press, Wal-Mart defended its security measures after a fired employee went public earlier today with allegations of extensive corporate surveillance of the retailer's critics, consultants, and shareholders. Bruce Gabbard, a 19-year Wal-Mart employee, told The Wall Street Journal about the surveillance after being fired by the retailer for recording phone calls and intercepting pager messages.

Gabbard reported he was part of a large, sophisticated surveillance operation by the Threat Research and Analysis Group, a unit of Wal-Mart's Information Systems Division.

Among other activities, Gabbard said, Wal-Mart sent an employee to infiltrate an anti-Wal-Mart group to learn if it was going to protest at the annual shareholders' meeting and investigated McKinsey & Co. employees it believed leaked a memo about Wal-Mart's healthcare plans. It also uses software programs to read emails sent by workers using private email accounts, he said.

Gabbard said he recorded the calls on his own but added many of his activities were approved by Wal-Mart. The Journal said other employees and security firms confirmed parts of his account.

A Wal-Mart spokeswoman would not address the specific allegations, but she did not deny that the retailer has done some surveillance.

"Like most major corporations, it is our corporate responsibility to have systems in place, including software systems, to monitor threats to our network, intellectual property, and our people," Wal-Mart spokeswoman Sarah Clark said. "These situations are limited to cases which are high risk to the company or our associates, such as criminal fraud or security issues."

It's this statement that bothers me. Yes, corporations have a responsibility to protect their intellectual property and their customers' data. But it's not their business to infiltrate consumer groups or collect personal photos of outspoken critics, as Gabbard alleges in the Journal. There's a line between strong IT security and amateur spying, and if Gabbard's allegations prove to be true, then Wal-Mart has definitely crossed it.

Now, don't get me wrong. Many enterprises monitor employee activity in the workplace, and that includes email surveillance. (See March's Email Madness.) And if you're big enough to afford it, there's nothing inherently wrong with having a Threat Research and Analysis Group -- in fact, Wal-Mart rival Target has a computer forensics group that would be the envy of some police departments.

But if Hewlett-Packard went over the line in "pretexting" its employees to identify the source of a news leak, then Gabbard is right to cry foul on what appears to be a much more extensive chain of investigations. In fact, we should set a new rule right now: If you're writing a purchase order for "disguises," your internal investigation has probably gone too far.

It's too early to take Wal-Mart to task for today's allegations -- the company hasn't clearly admitted to any of the charges. But the lack of remorse or outrage in the company's response suggests that the alleged tactics are not too far from business as usual.

And that, I think, is what really worries me.

— Tim Wilson, Site Editor, Dark Reading

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5