A Wisconsin man has been sentenced to serve 32 months in prison and must pay $350,000 in penalties, after he was convicted of stealing Kohl’s Cash certificates from thousands of customers and selling them online.
35-year-old Robert Gordon of Weston, Wisconsin, pleaded guilty back in October to wire fraud and trafficking access devices. That plea came five months after he was charged with hacking into Kohl’s customers’ loyalty accounts to claim their Kohl’s Cash, which customers earn by making purchases and can be used for cash off future purchases. Some of the Kohl’s Cash was used by Gordon himself to get thousands of dollars’ worth of Kohl’s merchandise for free, but most of it he ended up offering for sale on Twitter.
Kohl’s was alerted to the scheme by a tipster who saw the Kohl’s Cash certificates being sold online. That, together with the numerous complaints from customers who said the Kohl’s Cash they had earned was missing from their online accounts, prompted Kohl’s to alert the authorities.
Federal investigators found that Gordon had initially purchased the stolen Kohl’s Cash from “a partner located overseas.” He then obtained a file of more than 17 million unique usernames and passwords stolen from an unknown source, which he ran through a computer program that automatically tried those username and password combinations to see if any would log him in to Kohl’s customers’ accounts, where he could claim any Kohl’s Cash they had available.
And enough of the login credentials did work, to make the scheme worth his while.
Over one particular three-day period alone, investigators said Kohl’s “recorded more than 7,500 separate login attempts from one IP address later traced to Gordon’s computer… The login attempts occurred every few seconds and used a different username and password each time.” A “few hundred” of the login attempts were successful, and Kohl’s Cash certificates associated with those accounts were taken.
And that was just over a few days. This same thing happened for nearly an entire year, from June 2018 to May 2019, during which time Gordon obtained nearly $100,000 worth of Kohl’s Cash.
Investigators say Gordon and his wife used hundreds of Kohl’s Cash certificates worth about $10,000 to make dozens of purchases for themselves on Kohl’s website. The rest was advertised for sale on Gordon’s Twitter account, @OfficialJigLord, for 50% of their face value.
And it wasn’t just Kohl’s. @OfficialJigLord also sold customer rewards apparently stolen from other retailers, including American Eagle, Chick-fil-A, Qdoba, ULTA, Chipotle, Starbucks, Shell, Bath & Body Works, IHOP, Panera Bread and more.
Gordon’s wife Diana was initially charged alongside him. But she ended up entering into a deferred prosecution agreement, which will allow her to avoid punishment if she meets certain unstated conditions. His attorneys, meanwhile, argued for a lenient sentence. They portrayed him as a family man with five children, who served his country for nearly two decades as a decorated member of the U.S. Army, serving six tours of active duty in Iraq and Afghanistan. “He will almost certainly be involuntarily discharged from the Army, and will thus forfeit all of the benefits which he has accrued,” his attorneys pointed out. Therefore, they asked for a sentence of probation.
Prosecutors acknowledged Gordon’s “commendable record” in serving his country. But “by engaging in the fraud scheme, he victimized citizens of the country he swore to protect.” They argued for a harsher sentence, pointing out that Gordon “had no qualms about stealing and using people’s personal identifying information. And he would have continued with the scheme but for his arrest in this case.”
The judge in the case opted to sentence him to 32 months behind bars, far below the maximum 20 years. He will also have to pay $250,000 in restitution, plus an additional $100,000 in forfeiture. He’s been ordered to surrender to authorities to begin his prison term in about three weeks.
The lesson to consumers in this case is not to use the same usernames and passwords across multiple accounts. The stolen user information that Gordon obtained came from only one source. Hackers know that many people use the same login credentials for various online accounts, so once they obtain usernames and passwords for one account, they try them anywhere they can think of, hoping to get lucky and gain access to multiple accounts.
And the lesson to Gordon is that buying and selling stolen information may be lucrative in the short term. But ultimately – those profits can come at a very steep price.
I despise Kohl’s Cash, another corporate marketing scam.
Simply reduce the price of the purchase, instead of using a scheme which alludes to finding free money which it is not!!!
I despise Kohl’s Cash, another corporate marketing scam.
Simply reduce the price of the purchase, instead of using a scheme which alludes to finding fake free money which it is not!!!