After Gonzalez Plea, Feds Say BJ’s, OfficeMax Had More Critical Role

Written by Evan Schuman
September 13th, 2009

When Albert Gonzalez officially pleaded guilty to many of the federal cyberthief charges against him on Friday (Sept. 11), the government shed a little more light on the case, such as that it was BJ’s Wholesale Club that was first attacked and that the Secret Service has collected “more than forty million distinct credit and debit card numbers from two computer servers” controlled by Gonzalez and his associates and has counted the consumer, retail and bank victims as “an enormous number of people, certainly millions upon millions, perhaps tens of millions.”

Those comments from Assistant Boston U.S. Attorney Stephen Heymann during Friday’s hearing may be the beginning of the end of details to be released about the case. The guilty plea means a trial has been avoided, which in turn means that the government won’t be forced to reveal even more details. That’s a relief to many of the retailers involved because as they see it, the less light shed on their roles, the better.

In Friday’s hearing, the government for the first time put a number next to the DSW breach, saying that the $1.5 billion apparel chain operating 300 stores in 37 states (in addition to supplying footwear to 367 leased locations) lost more than one million card numbers in the breach.

The government also said that OfficeMax—the $8.3 billion office supplies chain with 939 stores in the United States and 83 in Mexico—played a crucial role, with Heymann saying that OfficeMax’s “then vulnerable encryption of PINs enabled Gonzalez (and a colleague) to sell the conspirators’ bounty for particularly large profits.”

The only new data morsel about TJX to emerge was a Heymann estimate that TJX alone “suffered close to $200 million in losses and associated expenses.” But the prosecutors did paint a somewhat more detailed timeline for the TJX breach.

“The evidence at trial would show that it was Albert Gonzalez’s close collaborator Christopher Scott, who’s pled guilty elsewhere in this courthouse, who first hacked into TJX’s computer network in the summer of 2005 by exploiting wireless connection points at two stores owned by TJX’s Marshall’s subsidiary down in Miami, Florida,” Heymann told U.S. District Court Judge Patti B. Saris, at a hearing in federal court in Boston. “Within a week or two, Scott had accessed the main TJX servers that processed and stored payment card transactions, credit and debit card transactions. Over the coming months, he downloaded files pertaining to tens of billions of payment card transactions, delivering them in turn to Gonzalez for sale.

“These first ones were unencrypted files of payment card data pertaining to old transactions, all completed in or before 2003. Accordingly, many of the payment cards contained in them had expired by the time this data was stolen,” Heymann said. “After 2003, payment card data was always stored in encrypted form, making it more difficult to steal in useful form. It had to be unencrypted to use it. There was, however, just a very brief period during the processing of each transaction when an individual payment card was not encrypted. It was by keenly and aggressively taking advantage of this instant of vulnerability that Gonzalez sought and ultimately succeeded in stealing current unencrypted payment card data.”


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.