Now being reported in the mainstream media, JCPenney was “Company A” in the recently infamous Albert Gonzalez trial. In court filings, we found some attachments that seem to have been a convincing factor in the judges decision to unseal the identity of “Company A”, a.k.a JCPenney. JCP fought hard to keep its identity concealed, but ultimately it would seem that these attachments, as well as some reporting by Evan Schuman made the difference.
Attachment A, filed in document 14 of the case (for those following the case on PACER, etc.), shows ICQ chat extracts where Gonzalez and a co-conspirator discuss JCPenney. It is damning from a security professionals point of view. It would seem almost irrefutable that JCPenney was compromised. How many cards were stolen are unknown, but cards were almost undoubtedly stolen and JCPenney has (until now) seemingly dodged a huge public relations bullet. Below is a snippet from the attachment:
- Gonzalez: “what did hacker 2 say about jcp?”
- Conspirator: “he hacked 100+ sqls inside and stopped”
- Gonzalez: “hacker 2 told me he found a place to snif for dumps in jcp”
- Gonzalez: “i see, hacker 2 showed you anything?”
Gonzalez then posts what appears to be names and credit card details (redacted in the court docs). They then go on to talk about how one of the conspirators had “domain admin” access, suggesting that they pretty much had control of everything in the given network (depending on topology and segregation).
We struggled with a possible JCPenney incident before reading this document. We initially categorized it as “fringe”, but it seems pretty obvious at this point that JCPenney was either:
- 1) just hacked
- 2) hacked badly enough to expose card data
But judge for yourself: here’s the attachment and the full pdf we obtained (including the attachment) for context. If you use these, please credit the Open Security Foundation for buying these and making them public — you don’t have to as they are public record, but we did have to pay for them, so we’d appreciate the credit!