As a judge handed down prison terms to two hackers for their roles in a ring that stole millions of credit card numbers from U.S. retailers, the list of their victims grew this week to include J.C. Penney Co. Inc. and The Wet Seal Inc., though both companies said the group did not obtain their customers’ data.
On Friday, a judge in U.S. District Court in Boston sentenced Albert Gonzalez, 28, of Miami, to 20 years in prison for his part as leader of the group, which, beginning in 2003, installed software in retailers’ networks that captured more than 40 million credit card numbers. Co-conspirator Christopher Scott, 28, also of Miami, received a seven-year sentence on Monday. Both men had earlier pleaded guilty to charges including fraud and identity theft.
Separately on Monday, the court unsealed documents that showed the hackers had attempted to access J.C. Penney’s computer networks in October 2007. Penney’s, previously known as “Company A” in court documents, had argued it should remain anonymous because the ring’s efforts were unsuccessful.
The company on Tuesday said: “Since no J.C. Penney customers were harmed as a result of the attempted breach, the company believed it had a legitimate interest in not being linked to criminal activity that resulted in major thefts of credit card information from other companies.”
Penney’s pointed to the decision of federal prosecutors in New Jersey, where a portion of the case was heard, not to disclose it as a victim because no data were stolen. The U.S. Attorneys’ office in Boston argued instead that it was in the public interest to reveal the department store operator’s part in the case. In an argument filed under seal on Dec. 29, the Boston prosecutors acknowledged that there was no evidence card information had been taken in the Penney’s incident, but wrote that it was only fair the store’s customers be told of the attempt.
In a separate statement Monday, teen retailer The Wet Seal said it discovered in May 2008 it had been a target of the Gonzalez ring. The company said it found no evidence the attack compromised any customer data.
The TJX Cos. Inc., one of the largest victims of the group, acknowledged in January 2007 that hackers had breached its systems. Indictments later showed the group targeted DSW Inc. and Forever 21 Inc., among others.
In a report issued Tuesday, the office of the U.S. Inspector General said identity theft affects an estimated 10 million Americans annually and that it believed the Department of Justice’s current approach to combat the problem is “not adequate based on the prevalence of the crime.”