Retailer JC Penney fought to keep its name secret during court proceedings related to the largest breach of credit card data on record, according to documents unsealed on 29 MAR. JC Penney was among the retailers targeted by Albert Gonzalez’s ring of hackers, which managed to steal more than 130 million credit card numbers from payment processor Heartland Payment Systems and others. Gonzalez was sentenced to 20 years in prison on 26 MAR in U.S. District Court for the District of Massachusetts. In DEC 09, JC Penney — referred to as “Company A” in court documents — argued in a filing that the attacks occurred more than two years ago, and that disclosure would cause “confusion and alarm.” However, it was already suspected JC Penney was one of the retailers after the Web site StorefrontBacktalk was the first outlet to accurately report in AUG 09 that JC Penney was among the retailers targeted by Gonzalez’s group.
New Jersey, where the Gonzalez case started, agreed to keep JC Penney’s identity secret but the case was moved to Massachusetts where authorities decided otherwise, prompting JC Penney’s motion. Disclosing Company A’s identity “may discourage other victims of cybercrimes to report the criminal activity or cooperate with enforcement officials for fear of the retribution and reputational damage that may arise from a policy of disclosure as espoused by the government in this case,” wrote JC Penney attorney Michael D. Ricciuti. In a 12 JAN filing, U.S. prosecutors argued for disclosure. “Most people want to know when their credit or debit card numbers have been put at risk, not simply if, and after, they have clearly been stolen,” the government wrote. “The presumption of disclosure has an additional significant benefit, though, besides the right of the card holder to know when he has been exposed to risk.”
The U.S. Secret Service had told JC Penney that its computer system had been broken into. The retailer’s system had “unquestionably failed,” but the government said the Secret Service did not have evidence that payment card numbers were stolen, U.S. prosecutors wrote. Another retailer, The Wet Seal, said in a statement issued29 MAR that it had also been targeted by Gonzalez’s gang around MAY 08. The Wet Seal has been referred to as “Company B” in court documents. “We found no evidence to indicate that any customer credit or debit card data or other personally identifiable information was taken,” the company said. Other retailers affected by the breach included TJX, 7-Eleven, Hannaford Brothers, Dave & Busters, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW. [Source: IDG News Service ComputerWorld Jeremy Kirk article 30 Mar 2010 ++]