GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

The power to pay it forward


Industry Update

FTC agrees to settle with TJX

UIGEA - punt or pass?

Welcome to Bank of AmEx

Splitsville for First Data, JPMC

A taxing situation

TJX cyber thieves get slammed


Gather 'round for a tale of business savvy and doom

Prepaid en fuego in Latin America

The golden rule of payments

The long road to payments


Visa's 'campaign' promise

Ken Musante
Humboldt Merchant Services


Street SmartsSM:
Ask and ye shall sell

Jason Felts
Advanced Merchant Services

Preparing to sell a micro deal

Lane Gordon

A clean exit

Adam Atlas
Attorney at Law

Get time on your side

Vicki M. Daughdrill
Small Business Resources LLC

Want to be trusted? Earn it

Nancy Drexler
SignaPay Ltd.

Company Profile

CSH Consulting Inc.

New Products

Processing on the edge

Precidia Technologies Inc.

True end-to-end encryption

Hypersafe Secure
Hypercom Corp.


The magic of gratitude





Resource Guide


A Bigger Thing

The Green Sheet Online Edition

November 24, 2008  •  Issue 08:11:02

previous next

TJX cyber thieves get slammed

In 2007, TJX Companies Inc., owners of several retail brands including T.J. Maxx, Marshall's and Bob's Stores, reported millions of credit and debit card numbers were stolen from its systems over a year-and-a-half period.

The final number approached 100 million cards - the largest theft of personal card data in the United States.

But according to the A href="" target="_blank">U.S. Department of Justice, the fraudsters who perpetrated the TJX breach had been hacking into various retailers' systems since 2003; between 2003 and 2007, the fraudsters hacked into nine other retailers, including BJ's Wholesale Club Inc., DSW Shoe Warehouse Inc., Office Max, Barnes & Noble Inc., Boston Market Corp., Sports Authority and Forever 21 Inc.

"This case is believed to be the largest hacking and ID theft case the DOJ has ever prosecuted," U.S. Attorney General Michael Mukasey said.

Sweeping up

In 2008, the DOJ's investigation paid off with a wave of indictments and its first two convictions.

In August, a federal grand jury in the U.S. District Court for the District of Massachusetts indicted 11 men, including ringleader Albert "Segvec" Gonzalez, Christopher Scott, Damon Patrick Toey and Stephen Watt.

The four men were charged with computer fraud, wire fraud, access device fraud, aggravated identity theft and conspiracy. The DOJ said the other defendants face conspiracy and theft charges in California and New York.

On Sept. 12, Toey pled guilty to four felony counts, including wire fraud, credit card fraud and aggravated identity theft. Toey, scheduled to be sentenced in December 2008, faces a maximum prison term of five years and a fine of $250,000 for each count.

In addition, under terms of the plea agreement, Toey must forfeit the money he made for his role in the thefts. Authorities do not know how much money Toey made from the crimes.

On Sept. 24, Christopher Scott pled guilty to conspiracy, unauthorized access to computer systems and identity theft. For his part in the thefts, Scott was paid approximately $400,000. He faces up to 22 years in prison and a $1 million fine.

Gonzalez, Watt and the seven others have not pled guilty; their cases are still pending.

House cleaning

Prosecutors testified that Scott and his accomplices hacked into retailers' computer networks by employing a tactic called wardriving.

With scanning devices and laptop computers, the fraudsters would sit in cars in shopping mall parking lots and scan the airwaves, looking for vulnerable wireless access points in computer systems.

When vulnerabilities were found, the thieves could hack into the retailers' networks.

Once in stores' systems, the fraudsters would search networks for unencrypted card information. Scott, whose expertise was hacking the networks, stole the data and provided the card information to Gonzalez to sell or to access cash from ATMs.

The DOJ said Gonzalez and the others were able to conceal and launder their fraudulently obtained proceeds through anonymous numbered bank accounts in Eastern Europe.

"This case highlights our increasing vulnerability to theft of personal information," Mukasey said.

"Computer networks and the Internet provide extraordinary opportunities for legitimate commerce and communication; however, they also provide the same opportunities for criminals who have enormous ability to cause harm."

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Simpay | USAePay | Impact Paysystems | Board Studios