Gonzalez’s Mystery Merchant Asks To Stay That Way
Written by Evan SchumanAlbert Gonzalez—who has already pleaded guilty to masterminding a cyberthief ring that stole data from TJX, BJ’s Wholesale Club, Boston Market and Sports Authority, among other major chains—signed papers this month agreeing to plead guilty to the remaining federal charges against him. But one of the retail chain victims, which federal officials have yet to officially identify, asked the court to protect its “dignity” by preventing the government from releasing the chain’s name.
Gonzalez agreed to plead guilty to his role in attacks on Heartland, Hannaford and 7-Eleven in a document signed at 10:14 AM New York time on Dec. 2.
Related Story: Judge Dismisses Lawsuit Against Heartland For Having Had Weak Security When Gonzalez Attacked
The document that Gonzalez signed also ordered the case transferred out of Camden, N.J., and merges it with similar charges in Boston, according to a copy of the Consent to Transfer of Case for Plea and Sentence filing. (That’s the document’s actual name. It’s good to see that the Justice Department isn’t wasting taxpayer dollars on a good copyeditor.) No details of the plea agreement were filed as of late Wednesday (Dec. 9).
One of the more interesting parts of this case has been that at least three retail chain victims in the Gonzalez attacks have remained unidentified—on the record, at least—by federal officials. Published reports have identified Target and J.C. Penney as two of those mystery merchants. But last month, one of those chains quietly had a lawyer ask U.S. District Court Judge Jerome B. Simandle, sitting in Camden, to keep a lid on the chain’s identity.
Attorney Kevin G. Walsh, who identified his client solely as “Company A,” asked Simandle for a protective order to “ensure the preservation of (the major retailer’s) dignity, privacy and anonymity.”
The letter relied on provisions in the Crime Victims Rights Act. There’s something unsettling about equating the victim of a rape or a mugging who should be spared the public humiliation of the crime with a multi-billion-dollar chain’s efforts to keep a major data breach secret from its shareholders and customers. How does a department store preserve it’s “dignity” (borrowing the word from the letter)? When the victim is a publicly held corporation that asks consumers to trust it with various forms of payment cards, should a federal judge sanction those secrecy efforts?
Although not mentioned in this filing, there is one legitimate reason to maintain secrecy, and that’s security. If the details of the breach would reveal security holes that still exist, a legitimate argument could be made to keep either those details or the retailer’s name quiet for a brief period. The only problems are that these breaches occurred several years ago and those holes have presumably been plugged long ago. Indeed, if they have yet to be plugged, I’m not so sure that that retailer doesn’t deserve whatever exposure the public filing would deliver.
The mystery merchant’s concerns may be alleviated by Gonzalez’s guilty plea, but perhaps not. The fear had always been that a trial would not only force the disclosure of all the retail victims’ names but also reveal quite a bit about how weak their security was at the times of the attacks.
A guilty plea doesn’t necessary make that all go away, as attorneys involved in the case might feel comfortable discussing the victims after the case has been resolved. But a federal protective order would certainly help keep those shareholders and customers in the dark.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
