JCPenney, Wet Seal: The Arguments For Keeping Gonzalez Mystery Merchants Secret

Written by Brooklynne Kelly Peters and Evan Schuman
March 26th, 2010

JCPenney and Wet Seal were both officially added to the list of Albert Gonzalez’s retail victims on Friday (March 26) when U.S. District Court Judge Douglas P. Woodlock refused to continue their cloak of secrecy and unsealed their names. StorefrontBacktalk reported last August that the $17 billion JCPenney chain was one of Gonzalez’s victims.

But the $561 million chain Wet Seal, which has 504 stores in 47 states, Washington, D.C., and Puerto Rico, kept its identity secret. No more, though, and that’s the way Woodlock wanted it.

For those keeping track, every reference in the indictment that came out of New Jersey about “Company A” was really talking about JCPenney and every reference to “Company B” was shorthand for Wet Seal, according to Jarrett Lovett, Woodlock’s deputy clerk.

JCPenney attorney Michael Ricciuti, in Boston federal court on March 26, argued that privacy laws should protect the two chains. Woodlock disagreed.

“What we have here is Company A and Company B being at least vulnerable to SQL injection attacks and successful ones. Now, they just did not turn out to be ones in which, apparently, some consumer funds were taken. Company A and Company B can say, ‘We have taken the steps that are necessary to protect us from SQL injections in the future. There was no harm to any customer,'” the judge said. “But it seems to me that this awkward kind of insulation from transparency for a corporation as opposed to, say, a human victim, seems odd to me in light of the fact that there is no privacy right.”

(For a detailed look at what Gonzalez’s crew did to both JCPenney and Wet Seal and to hear from JCPenney and the CIO of one of other victim chains, see JCPenney’s Breach: Differences From Feds, Gonzalez, JCPenney Itself“)

JCPenney’s Ricciuti also argued that some retailers might not cooperate with government federal criminal investigations if they aren’t guaranteed confidentiality. The judge didn’t take kindly to that argument.

“You mean to tell me that Company A and Company B would not cooperate with the Government if faced with something like this? I cannot imagine that they would take that as a corporate policy or even suggest that as a corporate policy. Of course they are going to cooperate. There is no incentive that is needed here,” he said, before tweaking the attorney that there is sometimes special treatment. After the two retailers were given confidentiality in Camden, N.J., Woodluck said: “There is, apparently, a benefit that is available, at least for some people, in the District of New Jersey, but it is not necessarily available here.”

Undaunted, Ricciuti continued his argument. “I think if there is a notion that whenever you cooperate with the Government, you should expect that there is no protection for your identity, that is a huge disincentive for corporations to cooperate,” he said. “They will go to private sources to seal up their breaches and never disclose [them] to the Government and potentially leave consumers at risk. That is a very damaging policy.”


5 Comments | Read JCPenney, Wet Seal: The Arguments For Keeping Gonzalez Mystery Merchants Secret

  1. Tom Mahoney Says:

    It’s about time the information was made public. Kudos to Judge Woodlock.

  2. Roo Lin Says:

    This sounds like salvos in a war between the elected government and the corporate government that really rules this country.

  3. Robert L Santuci Jr. Says:

    I cannot believe how arrogant JC Penney was!

  4. MISdudeE Says:

    Yeah it’s public and likely known about to those in a IT security profession, but already forgotten about in the main public arena. Not to mention I’m willing to bet that new information like this will be overlooked by the media and won’t be considered a headline. Prove me wrong though and you’ll make me smile.

  5. Lee Says:

    What an odd little poem – “Oklahoma ligno and lithograph” – I’m impressed the judge pulled that one out.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.