After Gonzalez Plea, Feds Say BJ’s, OfficeMax Had More Critical Role
Written by Evan SchumanWhen Albert Gonzalez officially pleaded guilty to many of the federal cyberthief charges against him on Friday (Sept. 11), the government shed a little more light on the case, such as that it was BJ’s Wholesale Club that was first attacked and that the Secret Service has collected “more than forty million distinct credit and debit card numbers from two computer servers” controlled by Gonzalez and his associates and has counted the consumer, retail and bank victims as “an enormous number of people, certainly millions upon millions, perhaps tens of millions.”
Those comments from Assistant Boston U.S. Attorney Stephen Heymann during Friday’s hearing may be the beginning of the end of details to be released about the case. The guilty plea means a trial has been avoided, which in turn means that the government won’t be forced to reveal even more details. That’s a relief to many of the retailers involved because as they see it, the less light shed on their roles, the better.
In Friday’s hearing, the government for the first time put a number next to the DSW breach, saying that the $1.5 billion apparel chain operating 300 stores in 37 states (in addition to supplying footwear to 367 leased locations) lost more than one million card numbers in the breach.
The government also said that OfficeMax—the $8.3 billion office supplies chain with 939 stores in the United States and 83 in Mexico—played a crucial role, with Heymann saying that OfficeMax’s “then vulnerable encryption of PINs enabled Gonzalez (and a colleague) to sell the conspirators’ bounty for particularly large profits.”
The only new data morsel about TJX to emerge was a Heymann estimate that TJX alone “suffered close to $200 million in losses and associated expenses.” But the prosecutors did paint a somewhat more detailed timeline for the TJX breach.
“The evidence at trial would show that it was Albert Gonzalez’s close collaborator Christopher Scott, who’s pled guilty elsewhere in this courthouse, who first hacked into TJX’s computer network in the summer of 2005 by exploiting wireless connection points at two stores owned by TJX’s Marshall’s subsidiary down in Miami, Florida,” Heymann told U.S. District Court Judge Patti B. Saris, at a hearing in federal court in Boston. “Within a week or two, Scott had accessed the main TJX servers that processed and stored payment card transactions, credit and debit card transactions. Over the coming months, he downloaded files pertaining to tens of billions of payment card transactions, delivering them in turn to Gonzalez for sale.
“These first ones were unencrypted files of payment card data pertaining to old transactions, all completed in or before 2003. Accordingly, many of the payment cards contained in them had expired by the time this data was stolen,” Heymann said. “After 2003, payment card data was always stored in encrypted form, making it more difficult to steal in useful form. It had to be unencrypted to use it. There was, however, just a very brief period during the processing of each transaction when an individual payment card was not encrypted. It was by keenly and aggressively taking advantage of this instant of vulnerability that Gonzalez sought and ultimately succeeded in stealing current unencrypted payment card data.”
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
