Last week's report of JC Penney trying to keep its name out of the Heartland credit card debacle didn't get anywhere near the attention heaped upon hacker mastermind Albert Gonzalez netting himself a 20-year prison sentence in the case, so it's definitely worth a mention here.
According to an IDG News Service report, JC Penney attorneys argued in December of last year that, absent evidence of resultant identity theft, disclosing the retail chain's role as a victim in the Heartland case "may discourage other victims of cybercrimes to report the criminal activity or cooperate with enforcement officials for fear of the retribution and reputational damage that may arise from a policy of disclosure as espoused by the government in this case."
10 woeful tales of data gone missing
U.S. prosecutors stated the obvious in response: "Most people want to know when their credit or debit card numbers have been put at risk, not simply if, and after, they have clearly been stolen."
The scales of justice eventually tipped in favor of disclosure, but only after a Massachusetts judge undid the bamboozlement that had allowed a New Jersey counterpart to buy into JC Penney's sorry song and dance.
And should anyone doubt the wisdom of that corrective decision, they should have a chat with one of 5,000 customers of Colorado's First National Bank of Durango, who had no idea that they were potential Heartland victims until being notified only March 1 of this year. Actually, as many as 20 of them may have suspected earlier when they started noticing apparently fraudulent charges to their accounts.
I learned of the Colorado bank victims through an item in a newsletter published by DataLossDB and asked one of that organization's project managers, Kelly Todd, whether it was indicative of there being yet more Heartland time bombs ticking out there; little stashes of card numbers just waiting to be used by your more patient criminals.
Todd's reply: "Yep, that's how I read it, too. At least one list subscriber mailed me off-list to ask why people don't realize that once card numbers or other personal information has been compromised, said information is compromised forever (or at least until the information changes, which won't happen for SSN, DOB, and 99.999% of the time, a name). A year later and still reporting Heartland-related news? Sure. Card numbers will be out there at least until they get cancelled or expire, and my new cards usually have the same number as the old one, so if they're in the hands of the bad guys, I'm probably at risk without even knowing it."
The bottom line here is that corporate interests will first and foremost always be focused on their corporate interests: their own bottom lines. Of course they'd rather not have their good names sullied by association with an identity-theft case of this magnitude. And of course they'll trot out the lawyers to downplay the exposure to their customers … it's all part of minimizing their own exposure.
As the U.S. prosecutor noted in opposing JC Penney's responsibility dodge, most people want to know when their credit or debit card numbers have been put at risk. You can be certain that "most people" here includes the JC Penney lawyers who argued otherwise.
Read more about wide area network in Network World's Wide Area Network section.
This story, "No one can duck Heartland fallout until it stops" was originally published by Network World.