JC Penney tried to block publication of data breach

Documents unsealed on Monday show the retailer tried to keep its name out of court papers

Retailer JC Penney fought to keep its name secret during court proceedings related to the largest breach of credit card data on record, according to documents unsealed on Monday.

JC Penney was among the retailers targeted by Albert Gonzalez's ring of hackers, which managed to steal more than 130 million credit card numbers from payment processor Heartland Payment Systems and others. Gonzalez was sentenced to 20 years in prison on Friday in U.S. District Court for the District of Massachusetts.

10 woeful tales of data gone missing

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Retailer JC Penney fought to keep its name secret during court proceedings related to the largest breach of credit card data on record, according to documents unsealed on Monday.

JC Penney was among the retailers targeted by Albert Gonzalez's ring of hackers, which managed to steal more than 130 million credit card numbers from payment processor Heartland Payment Systems and others. Gonzalez was sentenced to 20 years in prison on Friday in U.S. District Court for the District of Massachusetts.

10 woeful tales of data gone missing

In December, JC Penney -- referred to as "Company A" in court documents -- argued in a filing that the attacks occurred more than two years ago, and that disclosure would cause "confusion and alarm."

However, it was already suspected JC Penney was one of the retailers after the Web site StorefrontBacktalk was the first outlet to accurately report in August 2009 that JC Penney was among the retailers targeted by Gonzalez's group.

New Jersey, where the Gonzalez case started, agreed to keep JC Penney's identity secret but the case was moved to Massachusetts where authorities decided otherwise, prompting JC Penney's motion.

Disclosing Company A's identity "may discourage other victims of cybercrimes to report the criminal activity or cooperate with enforcement officials for fear of the retribution and reputational damage that may arise from a policy of disclosure as espoused by the government in this case," wrote JC Penney attorney Michael D. Ricciuti.

In a Jan. 12 filing, U.S. prosecutors argued for disclosure. "Most people want to know when their credit or debit card numbers have been put at risk, not simply if, and after, they have clearly been stolen," the government wrote. "The presumption of disclosure has an additional significant benefit, though, besides the right of the card holder to know when he has been exposed to risk."

The U.S. Secret Service had told JC Penney that its computer system had been broken into. The retailer's system had "unquestionably failed," but the government said the Secret Service did not have evident that payment card numbers were stolen, U.S. prosecutors wrote.

Another retailer, The Wet Seal, said in a statement issued Monday that it had also been targeted by Gonzalez's gang around May 2008. The Wet Seal has been referred to as "Company B" in court documents.

"We found no evidence to indicate that any customer credit or debit card data or other personally identifiable information was taken," the company said.

Other retailers affected by the breach included TJX, 7-Eleven, Hannaford Brothers, Dave & Busters, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.

The IDG News Service is a Network World affiliate.