TJX identity theft saga continues: 11 charged with pilfering millions of credit cards

The Justice Department charged 11 people in connection with the massive credit and debit card number theft from various retailers, including TJX, BJs and OfficeMax.

The group charged were involved in the theft of more than 40 million credit and debit card numbers that officials said they is the largest identity-theft case ever prosecuted by the Department of Justice.

In an indictment returned today by a federal grand jury in Boston, Albert "Segvec" Gonzalez, of Miami, was charged with computer fraud, wire fraud, access device fraud, aggravated identity theft and conspiracy for his role in the scheme. Charges were also brought on related charges against Christopher Scott and Damon Patrick Toey, both of Miami, the DOJ said.  Gonzalez was previously arrested by the Secret Service in 2003 for access device fraud. During the course of this investigation, the Secret Service discovered that Gonzalez, who was working as a confidential informant for the agency, was criminally involved in the case. Because of the size and scope of his criminal activity, Gonzalez faces a maximum penalty of life in prison if he is convicted of all the charges alleged in the Boston indictment.

 Others from Estonia, China and Belarus were also charged.

The indictment alleges that during the course of the sophisticated conspiracy, Gonzalez and his co-conspirators obtained the credit and debit card numbers by "wardriving" and hacking into the wireless computer networks of major retailers - including TJX Companies, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW. Once inside the networks, they installed "sniffer" programs that would capture card numbers, as well as password and account information, as they moved through the retailers' credit and debit processing networks, the DOJ said.

The indictment alleges that after they collected the data, the conspirators concealed the data in encrypted computer servers that they controlled in Eastern Europe and the United States. They allegedly sold some of the credit and debit card numbers, via the Internet, to other criminals in the United States and Eastern Europe. The stolen numbers were "cashed out" by encoding card numbers on the magnetic strips of blank cards. The defendants then used these cards to withdraw tens of thousands of dollars at a time from ATMs. Gonzalez and others were allegedly able to conceal and launder their fraud proceeds by using anonymous Internet-based currencies both within the United States and abroad, and by channeling funds through bank accounts in Eastern Europe, the DOJ said.

"They used sophisticated computer hacking techniques, breaching security systems and installing programs that gathered enormous quantities of personal financial data, which they then allegedly sold to others or used themselves," said Attorney General Michael Mukasey in prepared remarks. "And in total, they caused widespread loses by banks, retailers, and consumers."

Retailers, particularly TJX are still suffering from the impact of the data breach.  For example, in an agreement reached in March and finalized just last week, TJX settled Federal Trade Commission charges that it failed to provide reasonable and appropriate security for sensitive consumer information.  The settlement requires that the company implement comprehensive information security programs and obtain audits by independent third-party security professionals every other year for 20 years. No fines or consumer reimbursements were part of the settlement.

The FTC settlement doesn't get the company out of the woods however as almost 40 states and other Federal investigations loom.

According to the FTC complaint, TJX, with over 2,500 stores worldwide, failed to use reasonable and appropriate security measures to prevent unauthorized access to personal information on its computer networks. An intruder exploited these failures and obtained tens of millions of credit and debit payment cards that consumers used at TJX's stores, as well as the personal information of approximately 455,000 consumers who returned merchandise to the stores. Banks have claimed that tens of millions of dollars in fraudulent charges have been made on the cards and millions of cards have been cancelled and reissued.

Layer 8 in a box

Check out these related stories:

DARPA earmarks $10M to keep heat out of electronics

US sets national emergency responder communications plan

NASA Shakes, Bakes, Rattles and Blasts Lunar Spaceship

Lots of excuses, little use of encryption on government mobile computers  

NASA Looking For a Few Cool (and Green) Aircraft

Researchers get $2.6M to cultivate energy-efficient virtualized data center

Watchdogs question US Post Office outsourcing system

NASA satellite fleet figures out why Northern Lights dance

Researchers tout new-fangled network worm weapon

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)