JCPenney, Wet Seal: The Arguments For Keeping Gonzalez Mystery Merchants Secret
Written by Brooklynne Kelly Peters and Evan SchumanJCPenney and Wet Seal were both officially added to the list of Albert Gonzalez’s retail victims on Friday (March 26) when U.S. District Court Judge Douglas P. Woodlock refused to continue their cloak of secrecy and unsealed their names. StorefrontBacktalk reported last August that the $17 billion JCPenney chain was one of Gonzalez’s victims.
But the $561 million chain Wet Seal, which has 504 stores in 47 states, Washington, D.C., and Puerto Rico, kept its identity secret. No more, though, and that’s the way Woodlock wanted it.
For those keeping track, every reference in the indictment that came out of New Jersey about “Company A” was really talking about JCPenney and every reference to “Company B” was shorthand for Wet Seal, according to Jarrett Lovett, Woodlock’s deputy clerk.
JCPenney attorney Michael Ricciuti, in Boston federal court on March 26, argued that privacy laws should protect the two chains. Woodlock disagreed.
“What we have here is Company A and Company B being at least vulnerable to SQL injection attacks and successful ones. Now, they just did not turn out to be ones in which, apparently, some consumer funds were taken. Company A and Company B can say, ‘We have taken the steps that are necessary to protect us from SQL injections in the future. There was no harm to any customer,'” the judge said. “But it seems to me that this awkward kind of insulation from transparency for a corporation as opposed to, say, a human victim, seems odd to me in light of the fact that there is no privacy right.”
(For a detailed look at what Gonzalez’s crew did to both JCPenney and Wet Seal and to hear from JCPenney and the CIO of one of other victim chains, see JCPenney’s Breach: Differences From Feds, Gonzalez, JCPenney Itself“)
JCPenney’s Ricciuti also argued that some retailers might not cooperate with government federal criminal investigations if they aren’t guaranteed confidentiality. The judge didn’t take kindly to that argument.
“You mean to tell me that Company A and Company B would not cooperate with the Government if faced with something like this? I cannot imagine that they would take that as a corporate policy or even suggest that as a corporate policy. Of course they are going to cooperate. There is no incentive that is needed here,” he said, before tweaking the attorney that there is sometimes special treatment. After the two retailers were given confidentiality in Camden, N.J., Woodluck said: “There is, apparently, a benefit that is available, at least for some people, in the District of New Jersey, but it is not necessarily available here.”
Undaunted, Ricciuti continued his argument. “I think if there is a notion that whenever you cooperate with the Government, you should expect that there is no protection for your identity, that is a huge disincentive for corporations to cooperate,” he said. “They will go to private sources to seal up their breaches and never disclose [them] to the Government and potentially leave consumers at risk. That is a very damaging policy.”
-Marc
March 26th, 2010 at 11:16 pm
It’s about time the information was made public. Kudos to Judge Woodlock.
April 1st, 2010 at 9:13 am
This sounds like salvos in a war between the elected government and the corporate government that really rules this country.
April 1st, 2010 at 9:18 am
I cannot believe how arrogant JC Penney was!
April 1st, 2010 at 10:00 am
Yeah it’s public and likely known about to those in a IT security profession, but already forgotten about in the main public arena. Not to mention I’m willing to bet that new information like this will be overlooked by the media and won’t be considered a headline. Prove me wrong though and you’ll make me smile.
April 1st, 2010 at 3:41 pm
What an odd little poem – “Oklahoma ligno and lithograph” – I’m impressed the judge pulled that one out.