JCPenney has dodged a huge bullet... until now.
2010-03-29 by d2d
Now being reported in the mainstream media, JCPenney was "Company A" in the recently infamous Albert Gonzalez trial. In court filings, we found some attachments that seem to have been a convincing factor in the judges decision to unseal the identity of "Company A", a.k.a JCPenney. JCP fought hard to keep its identity concealed, but ultimately it would seem that these attachments, as well as some reporting by Evan Schuman made the difference.
Attachment A, filed in document 14 of the case (for those following the case on PACER, etc.), shows ICQ chat extracts where Gonzalez and a co-conspirator discuss JCPenney. It is damning from a security professionals point of view. It would seem almost irrefutable that JCPenney was compromised. How many cards were stolen are unknown, but cards were almost undoubtedly stolen and JCPenney has (until now) seemingly dodged a huge public relations bullet. Below is a snippet from the attachment:
- Gonzalez: "what did hacker 2 say about jcp?"
- Conspirator: "he hacked 100+ sqls inside and stopped"
- Gonzalez: "hacker 2 told me he found a place to snif for dumps in jcp"
- Gonzalez: "i see, hacker 2 showed you anything?"
Gonzalez then posts what appears to be names and credit card details (redacted in the court docs). They then go on to talk about how one of the conspirators had "domain admin" access, suggesting that they pretty much had control of everything in the given network (depending on topology and segregation).
We struggled with a possible JCPenney incident before reading this document. We initially categorized it as "fringe", but it seems pretty obvious at this point that JCPenney was either:
- 1) just hacked or
- 2) hacked badly enough to expose card data
But judge for yourself: here's the attachment and the full pdf we obtained (including the attachment) for context. If you use these, please credit the Open Security Foundation for buying these and making them public -- you don't have to as they are public record, but we did have to pay for them, so we'd appreciate the credit!
COMMENTS
by Anonymous on 2010-03-29 (about 3 years ago)
Pretty powerful. Enterprise IT folks better take notice. They are using some of the basic methods of pen-testers
by Anonymous on 2010-03-29 (about 3 years ago)
Read the court government's sentencing memorandum of law -- not cc data was "exfiltrated" from the company's servers. Hence, the lack of a need to disclose any (non) loss of data.
by d2d [Data Loss Maven] on 2010-03-29 (about 3 years ago)
umm, from everything I've read in that document, I'm still pretty convinced something happened at JCPenney. Maybe you're referring to a seperate document. send a pacer link if you have one, or email curators@ any downloaded court docs you might have access to.
by Anonymous on 2010-10-13 (over 2 years ago)
Sounds more like an inside job.
Back
Breach Types:
- Disposal Computer | Disposal Document | Disposal Tape | Disposal Drive
- Disposal Mobile | Email | Fax | Fraud Se
- Hack | Lost Computer | Lost Document | Lost Drive
- Lost Laptop | Lost Media | Lost Mobile | Lost Tape
- Missing Document | Missing Drive | Missing Laptop | Missing Media
- Seizure | Skimming | Snail Mail | Snooping
- Stolen Computer | Stolen Document | Stolen Drive | Stolen Laptop
- Stolen Media | Stolen Mobile | Stolen Tape | Unknown
- Virus | Web |
