The Green Sheet Online Edition
November 24, 2008 • Issue 08:11:02
TJX cyber thieves get slammed
In 2007, TJX Companies Inc., owners of several retail brands including T.J. Maxx, Marshall's and Bob's Stores, reported millions of credit and debit card numbers were stolen from its systems over a year-and-a-half period.
The final number approached 100 million cards - the largest theft of personal card data in the United States.
But according to the A href="http://www.usdoj.gov" target="_blank">U.S. Department of Justice, the fraudsters who perpetrated the TJX breach had been hacking into various retailers' systems since 2003; between 2003 and 2007, the fraudsters hacked into nine other retailers, including BJ's Wholesale Club Inc., DSW Shoe Warehouse Inc., Office Max, Barnes & Noble Inc., Boston Market Corp., Sports Authority and Forever 21 Inc.
"This case is believed to be the largest hacking and ID theft case the DOJ has ever prosecuted," U.S. Attorney General Michael Mukasey said.
In 2008, the DOJ's investigation paid off with a wave of indictments and its first two convictions.
In August, a federal grand jury in the U.S. District Court for the District of Massachusetts indicted 11 men, including ringleader Albert "Segvec" Gonzalez, Christopher Scott, Damon Patrick Toey and Stephen Watt.
The four men were charged with computer fraud, wire fraud, access device fraud, aggravated identity theft and conspiracy. The DOJ said the other defendants face conspiracy and theft charges in California and New York.
On Sept. 12, Toey pled guilty to four felony counts, including wire fraud, credit card fraud and aggravated identity theft. Toey, scheduled to be sentenced in December 2008, faces a maximum prison term of five years and a fine of $250,000 for each count.
In addition, under terms of the plea agreement, Toey must forfeit the money he made for his role in the thefts. Authorities do not know how much money Toey made from the crimes.
On Sept. 24, Christopher Scott pled guilty to conspiracy, unauthorized access to computer systems and identity theft. For his part in the thefts, Scott was paid approximately $400,000. He faces up to 22 years in prison and a $1 million fine.
Gonzalez, Watt and the seven others have not pled guilty; their cases are still pending.
Prosecutors testified that Scott and his accomplices hacked into retailers' computer networks by employing a tactic called wardriving.
With scanning devices and laptop computers, the fraudsters would sit in cars in shopping mall parking lots and scan the airwaves, looking for vulnerable wireless access points in computer systems.
When vulnerabilities were found, the thieves could hack into the retailers' networks.
Once in stores' systems, the fraudsters would search networks for unencrypted card information. Scott, whose expertise was hacking the networks, stole the data and provided the card information to Gonzalez to sell or to access cash from ATMs.
The DOJ said Gonzalez and the others were able to conceal and launder their fraudulently obtained proceeds through anonymous numbered bank accounts in Eastern Europe.
"This case highlights our increasing vulnerability to theft of personal information," Mukasey said.
"Computer networks and the Internet provide extraordinary opportunities for legitimate commerce and communication; however, they also provide the same opportunities for criminals who have enormous ability to cause harm."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.