NEW YORK — The Department of Justice announced Tuesday the indictment of 11 people whom they say stole millions of credit and debit card numbers from major retailers in the nation's largest case of identity theft.
The 11 people — including three Americans — allegedly targeted such retailers as TJX Companies, BJs Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.
"This is the single largest and most complex identity theft case ever charged in this country," Attorney General Michael Mukasey said at a hastily planned press conference in Boston Tuesday.
Mukasey called the total dollar amount of the alleged theft "impossible to quantify at this point." U.S. Attorney Michael J. Sullivan said that while most of the victims were in the United States, officials still haven't identified all the people who had a card number stolen.
"I suspect that a lot of people are unaware that their identifying information has been compromised," he said.
Named as the alleged ringleader in the indictment is Albert "Segvec" Gonzalez, of Miami, who had worked as a confidential informant for the Secret Service. He has been charged with computer fraud, wire fraud, access device fraud, aggravated identity theft and conspiracy for his role in the scheme and faces the possiblilty of life imprisonment.
T.J. Maxx, Marshalls Operator Reports Customer ID Thefts After Hacking Detected "The Boston indictment alleges that Gonzales and his co-conspirators stole over 40 million credit and debit card numbers making this the largest credit card fraud and identity theft scheme ever identified, investigated and prosecuted in the United States," U.S. Attorney for the District of Massachusetts Michael Sullivan said Tuesday.
Also named in the indictments are Christopher Scott and Damon Patrick Toey, also of Miami.
Investigators say Gonzalez and his cohorts were able to tap into computer networks using a technique called "war driving."
"War dirving is simply driving around in a car with a laptop computer looking for accessible wireless computer networks," Sullivan said.
Once they found a retailer's network, officials alleged the men would hack into the system and install "sniffer programs," which would relay sensitive credit card information back to the men.
"This allowed the defendants to remotely capture sensitive information such as the card numbers, passwords and account information," Sullivan said.
Those named in the indictment allegedly sold the information to criminals abroad and in the U.S., or encrypt blank credit cards to withdraw money from ATMs, officials said.
Federal officials discovered Gonzalez was involved in the scheme after he began working for the Secret Service as an informant. He is in custody.
Indictments were unsealed Tuesday in San Diego against Maksym "Maksik" Yastremskiy of Kharkov, Ukraine, and Aleksandr "Jonny Hell" Suvorov of Sillamae, Estonia. The indictments charge them with crimes related to the sale of the stolen credit card data.
Furthermore, indictments against Hung-Ming Chiu and Zhi Zhi Wang, both of China, and a person known only by the online nickname "Delpiero" were also unsealed in San Diego.
The heist was a black eye for retailers like TJX. The company, which initially disclosed the data breach in January 2007, said a few months later that at least 45.7 million cards were exposed to possible fraud in a breach of its computer systems that began in July 2005. Court filings by some banks that sued TJX put the number of cards affected at more than 100 million, based on estimates by officials with Visa and MasterCard, who were deposed in the suit.
In May, TJX said it won support from Mastercard-issuing banks for a settlement that will pay them as much as $24 million to cover costs from the data breach. A similar agreement reached last November with Visa-card issuing banks also was overwhelmingly approved. That agreement set aside as much as $40.9 million to help banks cover costs including replacing customers payment cards and covering fraudulent charges.
Federal officials urged those who think they may have been affected by the ID theft scheme to contact their bank.
as a B2B online merchant, we no longer accept credit card transactions when the email address is anonymous (hotmail, yahoo) or does not exist or does not respond (in this case, we call to confirm the transaction - if no phone number is provided we do not process the credit card)
: Any idea which data mining technique was used to unearth the fraud?