This past weekend, my wife and I went shopping at a local outlet center. She had a return to make at a store belonging to major national brand. My wife hates making returns, so she asked me to take the return to the register.
While at the register processing the return, I looked down and noticed a yellow post-it note taped the top of the system with a number and a password in plane sight for all to see. I shook my head and couldn't help myself. I told the woman behind the register that it was really bad security to leave what appeared to be an associate number and password in plain sight for anyone to see. I said this is how systems are compromised and data breaches happen. She shrugged it off and said it was OK because it was for a new associate to help them during the training. I couldn't believe how dismissive she was. My wife told her that I work in IT and am focused on cybersecurity issues. She still shrugged it off, so I took a picture, which you can see below. I blurred out the associates number and anything in the frame that could identify the retailer.
Bad enough that this was in plain sight, but check out the Pa$$word1. Really? That's a secure password for this company's point of sale retail system? Unbelievable.
Retailers are a huge risk and this proves the point. I worry about smaller retailers who don't have the resources to properly address cybersecurity. This national chain absolutely does and they are not, at least not at the local store level. And yes, I have reached out to the company to let them know what I observed. It's incredibly negligent to have usernames and passwords written down and taped to a computer like this. It's equally negligent to allow such a weak and easily compromised password. Until we can stop behavior like this, breaches will keep happening and no one should be surprised by that.