Breach, Threat Management, Data Security, Threat Management

JCPenney joins Heartland, TJX as Gonzalez victims

Two more retailers can be added to the list of companies targeted in the credit card crime ring orchestrated by Albert Gonzalez, who last week received the largest-ever U.S. prison sentence for a hacker.

Major U.S. department store chain JCPenney and women's clothing retailer Wet Seal can now be included among the companies targeted by Gonzalez and his crew, best known for their compromises of Heartland Payment Systems and TJX, parent of T.J. Maxx and Marshalls.

Court documents unsealed Friday by U.S. attorneys in Boston outed the two retailers, which were originally referred to in an indictment against Gonzalez as “Company A” and “Company B,” respectively.

According to one of the documents, obtained by the nonprofit Open Security Foundation, prosecutors in New Jersey – where Gonzalez' case began – agreed to keep JCPenney's name out of the indictment because the U.S. Secret Service had found no evidence that payment card numbers were stolen during the intrusion. Gonzalez' case was transferred to Boston, however, where attorneys ultimately decided to disclose JCPenney's involvement, in the interest of transparency.

“Knowing that cardholders will be concerned whenever their credit or debit card information is put at risk, if they know of it, provides an incentive to companies to invest in the protections their customers would want,” the document states. “Transparency makes the market work in this area.”

In a statement sent to SCMagazineUS.com on Tuesday, JCPenney confirmed that hackers did attempt to obtain bank card information from its systems in October 2007, but said there was no evidence the hackers were successful.

The company said there was no need to alarm its customers with a notification about the incident since the hackers did not obtain card information. Also, the incident did not have any impact on JCPenney's operations or financial condition, so the company was not legally mandated to publicly disclose the incident.

But the court filings obtained by the Open Security Foundation did include an attachment containing a chat transcript between two unnamed hackers. The exchange includes discussion around what appear to be successful SQL injections of JCPenney's network. One message reads: "They [presumably JCPenney] have most of [their] ports open. [It] wasn't too hard."

Still, the company stands by its belief that no card numbers were exposed.

“There was no need to alarm cardholders and shareholders about a risk that did not occur,” the statement said. “Since no JCPenney customers were harmed as a result of the attempted breach, the company believed it had a legitimate interest in not being linked to criminal activity that resulted in major thefts of credit card information from other companies.”

JCPenney added that it takes its responsibility to protect all confidential customer information seriously and has safeguards in place to do that.

In addition, Wet Seal confirmed on Monday that it was one of the companies targeted by Gonzalez.

Ed Thomas, the merchant's president and CEO, said in a news release that the company discovered hackers obtained unauthorized access to its information systems in May 2008. Like JCPenney, WetSeal stressed that no credit or debit card data or other personally identifiable information was taken during the intrusion.

“In working with the major credit card processing agencies, we also have identified no instances of credit card fraud to suggest that any such data was taken,” Thomas said.

Within two days of discovering the breach, Wet Seal eliminated the security vulnerability that the attackers had exploited, he added. In addition, Wet Seal passed its most recent information security audit and is in compliance with the Payment Card Industry Data Security Standard (PCI DSS).

"The security of our customers' personal information is of utmost importance to us, and we acted quickly and decisively when this matter arose two years ago,” Thomas said. “We are pleased that time has proven, as we believed from the outset, that none of our customer information was taken.”

Gonzalez, 28, of Miami, was sentenced on Thursday to 20 years in prison for his role as the ringleader of a group of cybercriminals that stole tens of millions of credit and debit card numbers from retailers TJX, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble and Sports Authority. On Friday, he received a second 20-year prison sentence for hacking into the payment card networks of Heartland Payment Systems, 7-Eleven and Hannaford Bros. supermarket chain to steal more than 130 million credit and debit card numbers.

His two prison terms will run concurrently.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.