Last week TJX and Hannaford Brothers hacker Albert Gonzales was sentenced to two concurrent 20-year terms in prison for his role in stealing upwards of 130 million credit and debit card numbers from various retailers. According to MiamiHerald.com:
[H]e and two foreign co-defendants would drive past retailers...with a laptop computer, tapping into those with vulnerable wireless Internet signals. They would then install "sniffer programs'' that picked off credit and debit card numbers as they moved through a retailer's computers.
JC Penney was one of the retailers whose systems Gonzales breached. Unlike TJX, Hannaford, Dave & Busters and others, however, JC Penney fought to remain anonymous in court documents related to the case. Computerworld reported that when the case against Gonzales was moved from New Jersey to Massachusetts in December, JC Penney filed a motion asking the court not to disclose its identity. The retailer argued that disclosure would
discourage other victims of cybercrimes to report the criminal activity or cooperate with enforcement officials for fear of the retribution and reputational damage that may arise...
The company pointed to the fact that the breach had occurred two years earlier and disclosing its identity now would only confuse and frighten customers.
The court disagreed and instead sided with the prosecution, which said:
Most people want to know when their credit or debit card numbers have been put at risk, not simply if, and after, they have clearly been stolen.
Just an observation, but if JC Penney's name had been used in the court documents, I may not have even realized it. Now that the company has protested so loudly to try and protect itself, I not only know it doesn't want people to know what happened, but I also wonder why that needed to remain hidden, as well as what else the retailer might be hiding.