For the past few months, national retailer J.C. Penney has been fighting an under-seal court battle to keep you from knowing that its payment card network was breached by U.S. and Eastern European hackers.

Scenes From a Hack Chat logs between Albert Gonzalez and an Eastern European accomplice regarding the J.C. Penney intrusion Gonzalez : 11/1/2007 7:50:38 PM have you done any work on jcp? 372712: 11/1/2007 7:51:13 PM i personally didnt, [hacker 2] just scanned few sqls for weak pw Gonzalez : 11/1/2007 7:52:12 PM i thought jcp was inject 372712: 11/1/2007 7:52:29 PM yes i mean he scanned inside 372712: 11/1/2007 7:52:37 PM i hacked jcp with injection too 372712: 11/1/2007 7:53:26 PM they have most of ports open wasnt too hard Gonzalez: 11/4/2007 8:04:01 PM what did [hacker 2] say about jcp? 372712: 11/4/2007 8:04:40 PM he hacked 100+ sqls inside and stopped 372712: 12/16/2007 3:31:45 PM [hacker 2] told me he found a place to sniff for dumps [credit card magstripe data] in jcp […] 372712: 12/16/2007 3:36:01 PM i see, hacker 2 showed you anything? 372712: 12/16/2007 3:36:19 PM JCP-J98 A..??..hIPCRED980?8U\$?…T10014.I000

COLJ wa……[REDACTED]/LISA A ^49127010[REDACTED]0000000000000 JCP-J98 A..??..hIPCRED9808U\$?…T10014.I000

COLJ[REDACTED]/LISA A^49127010[REDACTED]000000000 Gonzalez: 12/16/2007 3:36:19 PM nope, when did [hacker 2] have this news? 372712: 12/16/2007 3:36:30 PM yesterday? Gonzalez: 12/16/2007 3:38:19 PM hmm, where is track2? 372712: 12/16/2007 3:39:42 PM hm yea, maybe he didn’t send me full log Gonzalez: 12/16/2007 3:39:59 PM im curious how [hacker 2] moved around on jcp so quickly w/o making noise 372712: 12/16/2007 3:40:59 PM sql servers is his key to everything heh Gonzalez: 12/24/2007 3:38:20 PM i got access to the jcp pos [point-of-sale] network 🙂 372712: 3/17/2008 7:25:10 PM how are things ended with JCP? Gonzalez :3/17/2008 7:25:53 PM i stopped bruting the domain admin pw Gonzalez: 3/17/2008 7:26:01 PM after [hacker 2] got domain admin i stopped Source: Government court filing in U.S. v. Gonzalez

The intrusions, by TJX hacker Albert Gonzalez and his overseas accomplices, occurred beginning in October 2007. J.C. Penney admits it was “wholly unaware” of the breach until the Secret Service told the company about it in May 2008, but now says with certitude that no identity or bank-card data was stolen in the breach it failed to detect. That’s why the company didn’t want to be identified to the public, says spokeswoman Darcie Brossart

“Because there was no reason to think that the hackers were successful, there was no need to alarm J.C. Penney customers,” says Brossart, “We believed we had a legitimate interest in not being linked to criminal activity that resulted in major thefts from other companies.”

So in court filings, J.C. Penney argued that it was entitled to anonymity under the 2004 Crime Victims’ Rights Act, a law intended to protect the “dignity and privacy” of victims. A federal judge on Friday ordered the company’s identity unsealed anyway, as well as that of a second breached company, clothing retailer Wet Seal.

It’s a familiar story. Companies have never been eager to have their security slip-ups revealed to consumers. What was different, and remarkable, this time around is that an assistant U.S. attorney argued that J.C. Penney and Wet Seal should be identified. The lead prosecutor in the largest identity-theft hacks in U.S. history argued for disclosure.

From a motion by Assistant U.S. Attorney Stephen Heymann, which was unsealed Monday:

The Secret Service went to J.C. Penney with the information and evidence that its computer system, used to process payment card transactions, had been broken into. Although the protective system used by J.C. Penney had unquestionably failed, the Secret Service had no evidence as to whether payment card numbers had been stolen. Our presumption of public disclosure in charged criminal cases does not depend on the costly proof of evidence of negligence by the corporation, which we rarely can obtain, and then only with the full cooperation and guidance of the company. Most people want to know when their credit or debit card numbers may have been put at risk, not simply if, and after, they have clearly been stolen. The presumption of disclosure has an additional significant benefit, though…. Knowing that card holders will be concerned whenever their credit or debit card information is put at risk, if they know of it, provides an incentive to companies to invest in the protections their customers would want. Transparency makes the market work in this area.

It’s a bit jarring to see a lucid pro-transparency, pro-security argument from a federal prosecutor. For years, law enforcement has had an informal policy of protecting companies from the public relations consequences of their poor security — a kind of omerta among intruders, the companies they hack and the feds, where only the public is left in the dark. To be sure, it’s never been set in stone, and not all feds have played ball. But it’s a common practice, and it corrodes accountability.

It began with the first big for-profit card breach of the internet era — the 1997 case of Carlos Salgado Jr., who was caught trying to sell 80,000 stolen credit card numbers on IRC. The government persuaded Salgado’s judge to permanently seal the identity of the company he hacked, in order to shield it from “loss of business due to the perception by others that computer systems may be vulnerable.” That the perception would be completely accurate didn’t matter in the least.

Back then, the feds were worried that companies would stop reporting intrusions if they got bad press. J.C. Penney raised this argument as well, warning that outing the company “may discourage other victims of cybercrimes to report the criminal activity or cooperate with enforcement officials.” It takes real cajones to tell a judge that chain stores around the country are prepared to commit the federal crime of misprision if J.C. Penney doesn’t get its way.

U.S. District Judge Douglas Woodlock shot back that he was “astonished” that a company would even think to not cooperate with law enforcement, and ultimately determined “there shouldn’t be privacy for corporations.” “It is so absurd to think that [corporations] are entitled to special benefits,” he said on Friday.

California’s 2003 breach-disclosure law, and similar laws now in effect in 45 states, have already done a lot to shatter the code of silence surrounding breaches, but that didn’t stop New Jersey federal prosecutors from initially promising J.C. Penney anonymity. It was only when the Gonzalez case was transfered to Boston — and a new prosecutor — that the public gained an advocate in the case. Heymann’s successful defense of transparency suggests a sea change in law enforcement: a recognition that data breaches don’t occur in a vacuum. They fester under a rock, and wither and die only when flooded with sunlight.

As Heymann acknowledged in his filing (.pdf), there can be valid law enforcement reasons for withholding identification of an intrusion target. But protecting the “dignity” of the company isn’t one of them. The Justice Department should adopt this prosecutor’s position as its default in identity-theft breaches.

Image courtesy Roadsidepictures

See Also: