Evan Schuman's StorefrontBacktalk

Heymann also said that Gonzalez’s group began its second stage of attacks against TJX in the summer of 2006 when Scott obtained VPN access to TJX’s network, which certainly made the theft easier. “This VPN connection allowed Gonzalez and Scott to access TJX over the Internet and eliminated the need for them to be uncomfortably close to Marshall’s stores, parked out in a car where they could have wireless access to the TJX servers,” he said.

They then started using a sniffer to complete the thefts, Heymann said. “Gonzalez’s sniffer program was specially configured to capture the unencrypted payment cards, unencrypted credit card and debit card information as it was being processed in that brief instant. To obtain a sniffer program capable of exploiting TJX’s computer network, Gonzalez turned to his longtime associate Steven Watt, who has also pled guilty in another session in this courthouse.”

“Under Gonzalez’s direction, Watt specifically configured the sniffer program to take advantage of a vulnerability which he had spotted in TJX’s payment card processing system and then later refined it to make it less visible so the people running TJX wouldn’t see it and it would function more smoothly, so it would just capture the useful the data,” he said. “Ultimately that sniffer, first named ‘blabla’ and then renamed ‘Issas’ on the system, systematically logged payment cards and files which Scott and Gonzalez took out at regular intervals over their VPN.”

The judge expressed strong concerns over the dollars being taken from Gonzalez and others accused of these thefts and wondered whether that money would be even remotely enough to cover the victims’ losses.

After being told that the restitution amount was “to be determined by the court but no less than $600,000,” Judge Saris sounded frustrated: “I had a sinking sensation that the number of victims may far exceed the amount of money involved, so is there an agreement essentially that the pool of whatever is available will be divvied up between the victims of both crimes, both New York and Massachusetts? Is that how I’m going to do it? We’ve already heard a few companies lost a fortune, not to mention the individuals, so I’m assuming—maybe I’m wrong—that they haven’t found enough money to somehow pay everybody, so it’s going to be a limited pool, right?”

Heymann told the judge that with the large number of different kinds of victims in these cases—banks, consumers, retailers, etc.—this restitution could be difficult to resolve. “There are the individuals who may or may not have been reimbursed, may or may not have had their lives affected by the fact that all of a sudden they found that somebody else was using their credit card,” Heymann said.

The judge replied: “I have the right to simply take a nosedive and let people fight it out civilly if it’s too complicated in restitution, but, ideally speaking, you don’t put people to that expense. I don’t know how I’ll divide up between TJX and Dave & Buster’s. I don’t even know how I go about thinking about that, not to mention the individuals, since we have—how much would you figure you have all together in a pool? How much money do you have?”

Heymann replied that “it’s very modest amounts compared to the very large numbers and sizes of losses that you’ve heard in the course of the allocution,” which prompted a Gonzalez attorney, Martin Weinberg of Boston, to question the phrasing, given that almost $3 million in cash and goods have been surrendered.

“I don’t necessarily agree (that) what has been voluntarily disgorged is modest, but I do agree that it’s certainly modest relative to what TJX represents to be its corporate repair costs. But, no, I think that we will largely be silent parties and the Court will need to make restitution” decisions.