11 charged in credit card fraud case; TJX among retailers targeted.
BOSTON - The Department of Justice announced yesterday that it had charged 11 people in connection with the hacking of nine major U.S. retailers and the theft and sale of more than 41 million credit and debit card numbers.
It is believed to be the largest hacking and identity theft case ever prosecuted by the Department of Justice. The charges include conspiracy, computer intrusion, fraud and identity theft.
The indictment returned yesterday by a federal grand jury in Boston alleges that the people charged hacked into the wireless computer networks of retailers including TJX Cos., BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.
"While technology has made our lives much easier it has also created new vulnerabilities," U.S. Attorney Michael J. Sullivan said in a statement. "This case clearly shows how strokes on a keyboard with a criminal purpose can have costly results."
The indictment alleges that the hackers installed programs to capture card numbers, passwords and account information, and then concealed the data in computer servers that they controlled in the U.S. and Eastern Europe.
"They used sophisticated computer hacking techniques, that would allow them to breach security systems and install programs that gathered enormous quantities of personal financial data, which they then allegedly either sold to others or used themselves," said Attorney General Michael Mukasey in a press conference. "And in total, they caused widespread losses by banks, retailers, and consumers."
Mukasey said the total dollar amount of the alleged theft is "impossible to quantify at this point." Sullivan said officials still haven't identified all the victims who had a credit or debit card number stolen.
"I suspect that a lot of people are unaware that their identifying information has been compromised," he said.
Sullivan said the alleged thieves weren't computer geniuses, just opportunists who used a technique called "wardriving," which involved cruising through different areas with a laptop computer and looking for accessible wireless Internet signals. Once they located a vulnerable network, they installed so-called "sniffer programs" that captured credit and debit card numbers as they moved through a retailer's processing networks.
The information was stored on two servers in Ukraine and Latvia - one with more than 25 million credit and debit card numbers and another with more than 16 million numbers, Sullivan said.
Most of the victims were in the United States, Sullivan said.
The heist was a black eye for retailers like Framingham-based TJX. The company, which initially disclosed the data breach in January 2007, said a few months later that at least 45.7 million cards were exposed to possible fraud in a breach of its computer systems that began in July 2005. Court filings by some banks that sued TJX put the number of cards affected at more than 100 million, based on estimates by officials with Visa and MasterCard, who were deposed in the suit.
In May, TJX said it won support from Mastercard-issuing banks for a settlement that will pay them as much as $24 million to cover costs from the data breach. A similar agreement reached last November with Visa-card issuing banks also was overwhelmingly approved. That agreement set aside as much as $40.9 million to help banks cover costs including replacing customers payment cards and covering fraudulent charges.
Under the indictments unsealed yesterday, three of the defendants are U.S. citizens, one is from Estonia, three are from Ukraine, two are from China and one is from Belarus. One individual is only known by an alias online, and his place of origin is unknown.
In the Boston indictment, Albert "Segvec" Gonzalez of Miami, who is accused of leading the scheme, was charged with computer fraud, wire fraud, access device fraud, aggravated identity theft and conspiracy. Gonzalez, who is in custody in New York, faces a maximum penalty of life in prison if he is convicted of all the charges.
Indictments were unsealed yesterday in San Diego against Maksym "Maksik" Yastremskiy of Kharkov, Ukraine, and Aleksandr "Jonny Hell" Suvorov of Sillamae, Estonia. The indictments charge them with crimes related to the sale of the stolen credit card data.
Furthermore, indictments against Hung-Ming Chiu and Zhi Zhi Wang, both of China, and a person known only by the online nickname "Delpiero" were also unsealed in San Diego.
Justice Department officials said Suvorov was arrested by the German Federal Police in Frankfurt in March 2008 on the San Diego charges when he traveled there on vacation. He is in custody awaiting the resolution of extradition proceedings.
Yastremskiy was arrested when he traveled to Turkey on vacation in July 2007. He is facing related Turkish charges, and U.S. officials said they have made a formal request for his extradition.
Gonzalez is a U.S. Secret Service informant who helped the agency derive some technology they previously weren't aware of, U.S. Secret Service Director Mark Sullivan said at a news conference in Boston.
"Because of Mr. Gonzalez and that particular investigation, we were able to take over a Web site that various criminals were using to transmit stolen identifiers and stolen credit card numbers," Sullivan said.
|Printer friendly Cite/link Email Feedback|
|Publication:||Telegram & Gazette (Worcester, MA)|
|Date:||Aug 6, 2008|
|Previous Article:||Energy firm's revenues double; American Superconductor has strong wind power sales in Asia.|
|Next Article:||Marijuana plus mayhem = muddle.|