J.C. Penney left to hang by the very courts it attempted to help

J.C. Penney, known as 'Company A' in the case against Albert Gonzalez, never needed a legal shield to keep its name out of court documents. It was handed to them by prosecutors. After the case was moved, J.C. Penney found itself in a legal fight between districts.

J.C. Penney’s name was withheld initially by the U.S. Attorney in New Jersey, because the decision was made to name only those companies who had significant losses of credit card data in the indictment. The companies who hadn’t suffered significant losses were to be listed as 'Company A' and 'Company B'. It wasn’t until the case was moved to Massachusetts that the rules changed, and the fight to name 'Company A' started.

The stance J.C. Penney had was one of 'why disclose something that didn’t happen?' Adding to that was the fact that initially, J.C. Penney was seen as a company not important enough to name, at least in the New Jersey indictment. While Wet Seal, which admitted to being 'Company B', was apparently fine with the changes made to the rules, J.C. Penney fought them, viewing the matter as one of principal.

[Edit: Sources have confirmed that, while the information has never been brought to the public, Wet Seal was in court to fight being named. They have not returned calls to us on this matter. ]

Truth is J.C. Penney believed it had a legitimate interest in not being linked to criminal activity, which resulted in major thefts of credit card information from other companies.

“In this case, New Jersey indicated that it would apply a different policy why the case remained in their hands, but made no commitment that J.C. Penney’s name would never be disclosed in the course of litigation there or elsewhere,” Assistant U.S. Attorney Stephen Heymann wrote in a motion filed last December in Boston.

“A case may begin in a jurisdiction without this presumption, as it did in New Jersey in this case. Then it can move to a jurisdiction with this presumption, such as Massachusetts, for any one of a number of reasons.”

Heymann added in his motion that J.C. Penney was aware New Jersey could not enforce its rules in Massachusetts, and that there is a presumption of transparency in Massachusetts applying to corporations that have been the victims of fraud or abuse.

However, those in the public following the case learned J.C. Penney was 'Company A' long before court records were unsealed this week.

In court documents, an article published by CBS News on December 11, 2009, was said to diminish J.C. Penney’s interests in remaining anonymous, as it was already named as one of the retailers hit by Gonzalez and his cohorts.

The CBS opinion piece, written by StorefrontBacktalk editor Evan Schuman, was followed up later with claims that J.C. Penney denied being involved in the case. The fact is J.C. Penney never officially denied its involvement, it simply refused to answer questions from the press whether or not they were breach victims.

[Edited to clarify statements made by JC Penney to the press.]

So was the move to name J.C. Penney a case of advocacy on the behalf of the people? The legal team for J.C. Penney had a right to challenge the rules to keep them listed as 'Company A' in both districts.

While Judge Woodlock’s ruling to name J.C. Penney looks like advocacy, it’s more a matter of law. Massachusetts has strong transparency laws -- stronger than many other states -- and, because of that, J.C. Penney never stood a chance once the case was moved.

So what happened on J.C. Penney’s network? Was there a breach? If so, what was accessed, how was it addressed, and were customers informed?

"While there was an apparent attempt to obtain bank card information from our systems in October 2007, there is no evidence that they were successful. And we have seen no indication of any fraudulent activity with respect to any J.C. Penney customers' credit card information in connection with this incident," Darcie Brossart, VP of Corporate Communications for J.C. Penney, told The Tech Herald.

While this statement looks clear cut, there is the matter of what Heymann wrote in his motion.

According to the filing: "The Secret Service went to J.C. Penney with the information and evidence that its computer system, used to process payment card transactions, had been broken into. Although the protective system used by J.C. Penney had unquestionably failed, the Secret Service had no evidence as to whether payment card numbers had been stolen."

The evidence referenced is an ICQ conversation between Gonzalez and another defendant in the case. In the conversation, Gonzalez asked if the defendant he was speaking to had done any work on “jcp”, shorthand for J.C. Penney.

The flow of the conversation leads to the fact that another defendant had been successful in an SQL Injection attack and obtained Track 2 card data. In addition, after the conversation where the Track 2 card data was shared with Gonzalez, future conversations discussed illegal admin access to J.C. Penney’s POS network, and brute force attempts to gain domain administrator privileges.

When shown the conversation, J.C. Penney explained to the Secret Service that the Track 2 card data was from store cards, issued by J.C. Penney. Internal auditing showed that, despite the claims made in the ICQ conversation, the defendant who accessed J.C. Penney’s network did make noise. At this point J.C. Penney was able to lock down its systems, blocking Gonzalez and the others from further attempts.

Because the Track 2 card data belonged to J.C. Penney cards, it handled the issue internally, replacing the cards and informing those customers affected. In addition, the replacements were proactive, as the data shown was not enough to replicate complete cards. In the case of the two cards listed in the ICQ conversation, we’re told the customers referenced were informed immediately and the cards were replaced.

While monitoring network security after the fact, J.C. Penney confirmed that none of the national credit cards used by its customers, such as MasterCard, Visa, or American Express, were stolen.

"Since there was no evidence that hackers were successful in their attempt to obtain and misuse credit card information from J.C. Penney and no evidence of any related fraudulent activity in any accounts, there was no need to alarm J.C. Penney customers about the attempted breach," Brossart explained.

"For the same reasons and because the activity had no material impact on J.C. Penney's operations or financial condition, J.C. Penney was not legally obligated to make a public disclosure. There was no need to alarm cardholders and shareholders about a risk that did not occur."

Most of the media reports are painting the picture that J.C. Penney suffered a breach and did nothing. That isn’t entirely true. The company cooperated fully when asked and it was only when the case moved from New Jersey that it sought to keep the J.C. Penney name out of view. J.C. Penney was hacked, but it resolved the issue internally. The only thing it didn’t do was tell the world about what steps had been taken after talking with the Secret Service.

J.C. Penney is confident that its fraud detection and prevention measures would have prevented abuse, assuming that the data accessed and disclosed in the ICQ conversation would have been enough to produce a fake store card. At the same time, if the evidence brought forward by the Secret Service would have included a national card, there would be no discussion, as the company would have audited its systems and informed the public.

If J.C. Penney can be blamed for anything, it would be for dealing with things internally. Additionally, based on our conversation with the company, J.C. Penney did what it had to do in order to protect both its customers and business.

You can’t blame J.C. Penney for doing this, and considering that none of the national cards exposed during the Gonzalez case, thanks to the banks and merchants coming clean by reporting what was lost, were linked to J.C. Penney, its side of the story fits. Again, its systems were hacked, but not on the same scale as the others.

Moreover, J.C. Penney has a point with regard to needless panic, even now there is no distinction made between the card data shown in the ICQ conversation and the data lost by the other companies. Like it or not, there is a big difference between a national card and a store credit card, as one of them has a much larger impact on fraud than the other.

The main point in all the press coverage is disclosure. Should J.C. Penney have disclosed what happened, even though doing so could have caused more panic than it was worth?

Maybe, as long as there was a clear explanation. But you rarely get that from press statements. Yet, if there are ongoing legal matters at hand, lawyers hate it when PR departments talk, so there is little information that will be released.

What would have happened if J.C. Penney had simply announced it had been hacked, with no mention of internal cards? Would the assumption then be that national cards were at risk? What good does that do consumers?

We support disclosure, and the consumer protections like those that eventually forced J.C. Penney to see its name made public. However, in this case, it seems as if having the company named so late in the game does more harm than good.

To most watching the case, the issue of giving a name to 'Company A' is moot now. Gonzalez pled guilty and sentencing has been passed, this is in addition to the millions of cards that were previously replaced because of his actions.

If J.C. Penney was named early on like many of the others affected, then this wouldn’t be such a mess. However, those prosecuting the case chose to leave J.C. Penney out from the start, and that spiraled into what looks like a company hiding things. Perhaps if J.C. Penney offered the documentation that things were dealt with internally, that point of view would disappear.

If anything, this ordeal looks like J.C. Penney was tossed into a sparring match between courts, and no matter how the judge ruled, it wasn't going to walk away without looking bad. It’s almost as if the company was burned over a difference of legal opinion between New Jersey and Massachusetts.

Until there is a good balance between the states regarding privacy and notification laws, then issues like the one J.C. Penney faced will never go away. It was in a 'damned if you do, damned if you don’t' position, one place that no company likes to be in.

The links below are copies of the court documents. They were purchased by the Open Security Foundation for public viewing.

[Document 1]

[Document 2]

[This editorial is the opinion of Steve Ragan and not necessarily those of the staff on The Tech Herald or the Monsters and Critics (M&C) network. Comments can be left below or sent to [email protected]]

Like this article? Please share on Facebook and give The Tech Herald a Like too!