After Gonzalez Plea, Feds Say BJ's, OfficeMax Had More Critical Role

When Albert Gonzalez officially pleaded guilty to many of the federal cyberthief charges against him on Friday (Sept. 11), the government shed a little more light on the case, such as that it was BJ's Wholesale Club that was first attacked and that the Secret Service has collected "more than forty million distinct credit and debit card numbers from two computer servers" controlled by Gonzalez and his associates and has counted the consumer, retail and bank victims as "an enormous number of people, certainly millions upon millions, perhaps tens of millions."

Those comments from Assistant Boston U.S. Attorney Stephen Heymann during Friday's hearing may be the beginning of the end of details to be released about the case. The guilty plea means a trial has been avoided, which in turn means that the government won't be forced to reveal even more details. That's a relief to many of the retailers involved because as they see it, the less light shed on their roles, the better.

In Friday's hearing, the government for the first time put a number next to the DSW breach, saying that the $1.5 billion apparel chain operating 300 stores in 37 states (in addition to supplying footwear to 367 leased locations) lost more than one million card numbers in the breach.

The government also said that OfficeMax—the $8.3 billion office supplies chain with 939 stores in the United States and 83 in Mexico—played a crucial role, with Heymann saying that OfficeMax's "then vulnerable encryption of PINs enabled Gonzalez (and a colleague) to sell the conspirators' bounty for particularly large profits."

The only new data morsel about TJX to emerge was a Heymann estimate that TJX alone "suffered close to $200 million in losses and associated expenses." But the prosecutors did paint a somewhat more detailed timeline for the TJX breach.

"The evidence at trial would show that it was Albert Gonzalez's close collaborator Christopher Scott, who's pled guilty elsewhere in this courthouse, who first hacked into TJX's computer network in the summer of 2005 by exploiting wireless connection points at two stores owned by TJX's Marshall's subsidiary down in Miami, Florida," Heymann told U.S. District Court Judge Patti B. Saris, at a hearing in federal court in Boston. "Within a week or two, Scott had accessed the main TJX servers that processed and stored payment card transactions, credit and debit card transactions. Over the coming months, he downloaded files pertaining to tens of billions of payment card transactions, delivering them in turn to Gonzalez for sale.

"These first ones were unencrypted files of payment card data pertaining to old transactions, all completed in or before 2003. Accordingly, many of the payment cards contained in them had expired by the time this data was stolen," Heymann said. "After 2003, payment card data was always stored in encrypted form, making it more difficult to steal in useful form. It had to be unencrypted to use it. There was, however, just a very brief period during the processing of each transaction when an individual payment card was not encrypted. It was by keenly and aggressively taking advantage of this instant of vulnerability that Gonzalez sought and ultimately succeeded in stealing current unencrypted payment card data."Heymann also said that Gonzalez's group began its second stage of attacks against TJX in the summer of 2006 when Scott obtained VPN access to TJX's network, which certainly made the theft easier. "This VPN connection allowed Gonzalez and Scott to access TJX over the Internet and eliminated the need for them to be uncomfortably close to Marshall's stores, parked out in a car where they could have wireless access to the TJX servers," he said.

They then started using a sniffer to complete the thefts, Heymann said. "Gonzalez's sniffer program was specially configured to capture the unencrypted payment cards, unencrypted credit card and debit card information as it was being processed in that brief instant. To obtain a sniffer program capable of exploiting TJX's computer network, Gonzalez turned to his longtime associate Steven Watt, who has also pled guilty in another session in this courthouse."

"Under Gonzalez's direction, Watt specifically configured the sniffer program to take advantage of a vulnerability which he had spotted in TJX's payment card processing system and then later refined it to make it less visible so the people running TJX wouldn't see it and it would function more smoothly, so it would just capture the useful the data," he said. "Ultimately that sniffer, first named 'blabla' and then renamed 'Issas' on the system, systematically logged payment cards and files which Scott and Gonzalez took out at regular intervals over their VPN."

The judge expressed strong concerns over the dollars being taken from Gonzalez and others accused of these thefts and wondered whether that money would be even remotely enough to cover the victims' losses.

After being told that the restitution amount was "to be determined by the court but no less than $600,000," Judge Saris sounded frustrated: "I had a sinking sensation that the number of victims may far exceed the amount of money involved, so is there an agreement essentially that the pool of whatever is available will be divvied up between the victims of both crimes, both New York and Massachusetts? Is that how I'm going to do it? We've already heard a few companies lost a fortune, not to mention the individuals, so I'm assuming—maybe I'm wrong—that they haven't found enough money to somehow pay everybody, so it's going to be a limited pool, right?"

Heymann told the judge that with the large number of different kinds of victims in these cases—banks, consumers, retailers, etc.—this restitution could be difficult to resolve. "There are the individuals who may or may not have been reimbursed, may or may not have had their lives affected by the fact that all of a sudden they found that somebody else was using their credit card," Heymann said.

The judge replied: "I have the right to simply take a nosedive and let people fight it out civilly if it's too complicated in restitution, but, ideally speaking, you don't put people to that expense. I don't know how I'll divide up between TJX and Dave & Buster's. I don't even know how I go about thinking about that, not to mention the individuals, since we have—how much would you figure you have all together in a pool? How much money do you have?"

Heymann replied that "it's very modest amounts compared to the very large numbers and sizes of losses that you've heard in the course of the allocution," which prompted a Gonzalez attorney, Martin Weinberg of Boston, to question the phrasing, given that almost $3 million in cash and goods have been surrendered.

"I don't necessarily agree (that) what has been voluntarily disgorged is modest, but I do agree that it's certainly modest relative to what TJX represents to be its corporate repair costs. But, no, I think that we will largely be silent parties and the Court will need to make restitution" decisions.