JCPenney has dodged a huge bullet... until now.

2010-03-29 by d2d 120px-jcpenney_great_falls_mt

Now being reported in the mainstream media, JCPenney was "Company A" in the recently infamous Albert Gonzalez trial. In court filings, we found some attachments that seem to have been a convincing factor in the judges decision to unseal the identity of "Company A", a.k.a JCPenney. JCP fought hard to keep its identity concealed, but ultimately it would seem that these attachments, as well as some reporting by Evan Schuman made the difference.

Attachment A, filed in document 14 of the case (for those following the case on PACER, etc.), shows ICQ chat extracts where Gonzalez and a co-conspirator discuss JCPenney. It is damning from a security professionals point of view. It would seem almost irrefutable that JCPenney was compromised. How many cards were stolen are unknown, but cards were almost undoubtedly stolen and JCPenney has (until now) seemingly dodged a huge public relations bullet. Below is a snippet from the attachment:

  • Gonzalez: "what did hacker 2 say about jcp?"
  • Conspirator: "he hacked 100+ sqls inside and stopped"
  • Gonzalez: "hacker 2 told me he found a place to snif for dumps in jcp"
  • Gonzalez: "i see, hacker 2 showed you anything?"

Gonzalez then posts what appears to be names and credit card details (redacted in the court docs). They then go on to talk about how one of the conspirators had "domain admin" access, suggesting that they pretty much had control of everything in the given network (depending on topology and segregation).

We struggled with a possible JCPenney incident before reading this document. We initially categorized it as "fringe", but it seems pretty obvious at this point that JCPenney was either:

  1. 1) just hacked
  2. or
  3. 2) hacked badly enough to expose card data

But judge for yourself: here's the attachment and the full pdf we obtained (including the attachment) for context. If you use these, please credit the Open Security Foundation for buying these and making them public -- you don't have to as they are public record, but we did have to pay for them, so we'd appreciate the credit!


by Anonymous on 2010-03-29 (about 4 years ago)

Pretty powerful. Enterprise IT folks better take notice. They are using some of the basic methods of pen-testers

by Anonymous on 2010-03-29 (about 4 years ago)

Read the court government's sentencing memorandum of law -- not cc data was "exfiltrated" from the company's servers. Hence, the lack of a need to disclose any (non) loss of data.

by d2d [Data Loss Maven] on 2010-03-29 (about 4 years ago)

umm, from everything I've read in that document, I'm still pretty convinced something happened at JCPenney. Maybe you're referring to a seperate document. send a pacer link if you have one, or email curators@ any downloaded court docs you might have access to.

by Anonymous on 2010-10-13 (over 3 years ago)

Sounds more like an inside job.

New Comment

Are you human?

Sponsored By: Rbs Zecurion
Use of the DataLossDB, and its exports, RSS feeds, reports, or other materials produced on this site by the Open Security Foundation requires authorization and potential licensing arrangements. For more information, please e-mail [email protected] with a brief summary of how you would like to use this information; product, service, research, etc.
© 2005 - 2014, Open Security Foundation, All Rights Reserved.