US indicts 11 in credit card scheme

By The Associated Press

Authorities have cracked what is believed to be the largest federal hacking and identity theft case ever, involving the theft and sale of more than 41 million credit and debit card numbers.

Eleven people, including a U.S. Secret Service informant, have been charged in connection with data breaches at nine major retailers, the Justice Department announced Tuesday. Three of those charged are U.S. citizens, while the others are from places such as Estonia, Ukraine, Belarus and China.

The indictment, returned Tuesday by a federal grand jury in Boston, alleges that the suspects hacked into the wireless computer networks of retailers including TJX, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW and set up programs that captured card numbers, passwords and account information.

• Tell us: Which kind of ID theft worries you most?

"They used sophisticated computer hacking techniques that would allow them to breach security systems and install programs that gathered enormous quantities of personal financial data, which they then allegedly either sold to others or used themselves," Attorney General Michael Mukasey said at a news conference. "And in total, they caused widespread losses by banks, retailers and consumers."

Mukasey called the total dollar amount of the alleged theft "impossible to quantify at this point." U.S. Attorney Michael J. Sullivan said that while most of the victims were in the United States, officials still haven't identified all the people who had a card number stolen.

"I suspect that a lot of people are unaware that their identifying information has been compromised," he said.

Sullivan said the alleged thieves weren't computer geniuses, just opportunists who used a technique called "wardriving," which involved cruising through different areas with a laptop and looking for accessible wireless Internet signals. Once they located a vulnerable network, they installed so-called "sniffer programs" that captured credit and debit card numbers as they moved through a retailer's processing networks.

The information was stored on two servers in Ukraine and Latvia -- one with more than 25 million credit and debit card numbers and another with more than 16 million numbers, Sullivan said.

The heist was a black eye for retailers like TJX. The company initially disclosed the data breach in January 2007 but said a few months later that at least 45.7 million cards were exposed to possible fraud in a breach of its computer systems that began in July 2005. Court filings by some banks that sued TJX put the number of cards affected at more than 100 million, based on estimates by officials with Visa and MasterCard, who were deposed in the suit.

In May, TJX said it won support from MasterCard-issuing banks for a settlement that will pay them as much as $24 million to cover costs from the breach. A similar agreement reached last November with Visa-card-issuing banks set aside as much as $40.9 million to help banks cover costs including replacing customers' payment cards and covering fraudulent charges.

Continued: For personal gain

 1 | 2 | next >