Evan Schuman's StorefrontBacktalk

Brossart makes some very valid points about the distance that the thieves maintained from the most valuable data. But it’s hard to take the leap that “there was never a risk of customer information being revealed,” given that the team did break into the network and was able to access two credit cards completely enough that the chain chose to replace those customers’ cards.

Federal filings show that JCPenney retained IBM and Mandiant to help with its internal investigation of the intrusion.

The situation is a little less clear with the most newly identified victim of Gonzalez: $561 million chain Wet Seal. Ed Thomas, Wet Seal’s CEO, issued a statement on Monday (March 29) confirming that it had been breached but declaring that the thieves got nothing. “We are pleased that time has proven, as we believed from the outset, that none of our customer information was taken,” Thomas said.

The U.S. Probation Department’s pre-sentence report sees it somewhat differently: “Forensic analysis reflects that Gonzalez was working with data stolen from [Wet Seal] less than three weeks prior to his arrest.” And Gonzalez’s plea agreement said “on or about April 22, 2008, Gonzalez modified a file on the Ukrainian Server that contained log data stolen from [Wet Seal’s] computer network.”

Government lawyers have said they can’t prove that any Track 2 card data was taken from Wet Seal, so the chain could have said that. Not that none was taken, but that the government can’t prove that any was taken. Wet Seal could have even said that no credit or debit cards were taken, although the government didn’t go that far. But to say “no customer information was taken” seems at odds with the government filings. Either that or Wet Seal is taking a very narrow view of customer information. What would the cyberthieves have taken that wasn’t customer data? Even log files of purchase activity is customer data.