Gonzalez’s Mystery Merchant Asks To Stay That Way

Written by Evan Schuman
December 10th, 2009

Albert Gonzalez—who has already pleaded guilty to masterminding a cyberthief ring that stole data from TJX, BJ’s Wholesale Club, Boston Market and Sports Authority, among other major chains—signed papers this month agreeing to plead guilty to the remaining federal charges against him. But one of the retail chain victims, which federal officials have yet to officially identify, asked the court to protect its “dignity” by preventing the government from releasing the chain’s name.

Gonzalez agreed to plead guilty to his role in attacks on Heartland, Hannaford and 7-Eleven in a document signed at 10:14 AM New York time on Dec. 2.

Related Story: Judge Dismisses Lawsuit Against Heartland For Having Had Weak Security When Gonzalez Attacked

The document that Gonzalez signed also ordered the case transferred out of Camden, N.J., and merges it with similar charges in Boston, according to a copy of the Consent to Transfer of Case for Plea and Sentence filing. (That’s the document’s actual name. It’s good to see that the Justice Department isn’t wasting taxpayer dollars on a good copyeditor.) No details of the plea agreement were filed as of late Wednesday (Dec. 9).

One of the more interesting parts of this case has been that at least three retail chain victims in the Gonzalez attacks have remained unidentified—on the record, at least—by federal officials. Published reports have identified Target and J.C. Penney as two of those mystery merchants. But last month, one of those chains quietly had a lawyer ask U.S. District Court Judge Jerome B. Simandle, sitting in Camden, to keep a lid on the chain’s identity.

Attorney Kevin G. Walsh, who identified his client solely as “Company A,” asked Simandle for a protective order to “ensure the preservation of (the major retailer’s) dignity, privacy and anonymity.”

The letter relied on provisions in the Crime Victims Rights Act. There’s something unsettling about equating the victim of a rape or a mugging who should be spared the public humiliation of the crime with a multi-billion-dollar chain’s efforts to keep a major data breach secret from its shareholders and customers. How does a department store preserve it’s “dignity” (borrowing the word from the letter)? When the victim is a publicly held corporation that asks consumers to trust it with various forms of payment cards, should a federal judge sanction those secrecy efforts?

Although not mentioned in this filing, there is one legitimate reason to maintain secrecy, and that’s security. If the details of the breach would reveal security holes that still exist, a legitimate argument could be made to keep either those details or the retailer’s name quiet for a brief period. The only problems are that these breaches occurred several years ago and those holes have presumably been plugged long ago. Indeed, if they have yet to be plugged, I’m not so sure that that retailer doesn’t deserve whatever exposure the public filing would deliver.

The mystery merchant’s concerns may be alleviated by Gonzalez’s guilty plea, but perhaps not. The fear had always been that a trial would not only force the disclosure of all the retail victims’ names but also reveal quite a bit about how weak their security was at the times of the attacks.

A guilty plea doesn’t necessary make that all go away, as attorneys involved in the case might feel comfortable discussing the victims after the case has been resolved. But a federal protective order would certainly help keep those shareholders and customers in the dark.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.