Feeds

Feds charge 11 in TJX ID fraud case

Nine companies, 40m card accounts hacked

The Essential Guide to IT Transformation

Federal prosecutors announced on Tuesday that they had indicted eleven people in the largest case of identity theft and hacking ever prosecuted by the US Department of Justice. The eleven suspects, including three US citizens, allegedly took part in stealing more than 40 million credit and debit card accounts from nine major retailers and restaurants, including TJX Companies, BJ’s Wholesale Club, OfficeMax, Barnes & Noble, Sports Authority, Forever 21 and DSW. The Dave & Busters and Boston Market restaurant chains were also among the victims, prosecutors stated.

"While technology has made our lives much easier it has also created new vulnerabilities," Michael J. Sullivan, US Attorney for the District of Massachusetts, said in a statement announcing the indictments. "This case clearly shows how strokes on a keyboard with a criminal purpose can have costly results."

The crimes the eleven have been charged with have made headlines over the past three years. In January 2007, retail giant TJX companies - which operates TJ Maxx and Marshalls stores - announced that unknown identity thieves had stolen more than 46.5 million credit cards, a number later found to be at least twice as high. A year earlier, some industry watchers ascribed a rise in debit-card fraud to retailers OfficeMax and Sam's Club.

An indictment returned by a federal grand jury in Boston on Tuesday charged Albert Gonzalez of Miami with computer fraud, wire fraud, access device fraud, aggravated identity theft and conspiracy for his role in the scheme. Christopher Scott and Damon Patrick Toey, both of Miami, were charged in additional documents. Eight other foreign nationals living outside the United States were charged in indictments unsealed in San Diego, according to prosecutors.

"They used sophisticated computer hacking techniques, breaching security systems and installing programs that gathered enormous quantities of personal financial data, which they then allegedly sold to others or used themselves," US Attorney General Michael Mukasey said in prepared remarks. "And in total, they caused widespread losses by banks, retailers, and consumers."

The alleged thieves used wireless scanners to find stores with vulnerable networks and then collected data using network sniffers to capture credit-card numbers, PINs and other account information. The ID theft ring then allegedly stored the stolen information on encrypted servers in Eastern Europe and the United States, selling some of the accounts to other criminals.

The alleged members of the ring converted the data to cash by creating counterfeit credit and debit cards with the information and using the cards to withdraw "tens of thousands of dollars at a time from ATMs," prosecutors said in a statement announcing the indictments. Digital currency services were used to launder the proceeds.

The case also underscores the international nature of cybercrime, prosecutors said. While three of the defendants are US citizens, the others come from outside the United States, including Estonia, Ukraine, the People’s Republic of China and Belarus. One of the alleged thieves is only known by an online pseudonym and continues to elude authorities.

The San Diego indictments charge the remaining eight foreign nationals with operating an international distribution ring for stolen credit and debit card accounts from Belarus, Estonia, the People's Republic of China, the Philippines, Thailand and Ukraine.

"So far as we know, this is the single largest and most complex identity theft case ever charged in this country," said Mukasey. "It highlights the efforts of the Justice Department to fight this pernicious crime and shows that, with the cooperation of our law enforcement partners around the world, we can identify, charge and apprehend even the most sophisticated international computer hackers."

The lead defendant, Albert Gonzalez, had already been arrested by US law enforcement for access device fraud in 2003, prosecutors said. During the current investigation, Gonzalez had been working as a confidential informant, but the Secret Service claimed that it had discovered that he was criminally involved in the case.

US law enforcement has thrown the book at Gonzalez - if convicted of the charges he could be sentenced to life in prison, according to prosecutors.

This article originally appeared in Security Focus.

Copyright © 2008, SecurityFocus

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.