Did stores hush up credit card scam?

OfficeMax has denied having any knowledge of a breach. New Jersey authorities who investigated the company in 2005 believed it was one of a number of retailers compromised, and last week's indictments describe how the defendants allegedly broke into their networks.

Boston Market and Forever 21 say their own investigations couldn't corroborate the government's findings. Federal officials say they stand by the information in the indictments.

The indictments allege that one of the suspects, Christopher Scott, and another man identified only by initials broke into the wireless network of an OfficeMax store in Miami in 2004 and gained access to credit card data. Scott, through family members, declined to comment.

• Talk back: What's your ID-theft nightmare?

Authorities also said they discovered in 2005 that OfficeMax's computer systems had been breached by another group that obtained customer data and used it to make counterfeit credit cards. "We believe the (credit card) information was coming out of an OfficeMax in North Carolina," said Lt. Tom Cooney of the Hudson County prosecutor's office in Jersey City, N.J. "It turned out that a number of the victims" were customers at the same OfficeMax.

Edward DeFazio, a Hudson County prosecutor, says investigators in the joint federal-state probe notified OfficeMax and other retailers that their systems had been breached in a card-theft ring. Fourteen people were arrested in March 2006.

That month, OfficeMax acknowledged in an SEC filing an "ongoing federal investigation involving legitimate debit card use at various retailers that was later tied to fraudulent transactions outside the U.S." But the filing added that "we have no knowledge of a security breach at OfficeMax."

In a statement after last week's indictments, the Naperville, Ill., company said, "It would be inappropriate to express our views relating to an ongoing criminal investigation." It said it has cooperated with authorities in their probe and is "confident in the integrity and security of our systems."

Last week's indictments also describe "attacks on Forever 21," which operates more than 350 clothing stores. Prosecutors allege that sometime this year, Damon Patrick Toey of Miami broke into Forever 21's system and shared access with Albert Gonzalez, the group's alleged ringleader, "for the purpose of downloading credit card information of customers of Forever 21." Lawyers for Gonzalez declined to comment. Toey couldn't be reached to comment.

Larry Meyer, a spokesman for Forever 21, says that last spring, federal authorities notified the Los Angeles company that it was among several retailers whose computer systems were "potentially infiltrated" by a crime ring. Authorities "asked us to investigate for a breach," he says.

He says Forever 21 conducted an internal investigation but didn't find a sign of a breach. Therefore, Meyer says, the company didn't notify customers that their credit card information was potentially at risk. "There was no breach," he says. "There was nothing to tell people." He says Forever 21 believes it is obligated to make a disclosure only if it finds a breach.

He adds that as a result of last week's indictments, the company is in discussions with federal authorities.

The indictments also allege that Boston Market, a fast-food chain based in Golden, Colo., was hit by credit card thieves. Company spokeswoman Angela Proctor acknowledges that the company was notified by federal authorities in 2004 of a potential breach. She says it never disclosed the matter to consumers "because we couldn't find any definite information that we'd been breached."

Proctor now says it isn't likely the company will inform consumers, "because there is no way for us to identify customers who might have been affected." She adds, "The consumer always does have an opportunity to report fraudulent activities" to credit card companies.

Bookseller Barnes & Noble issued a release last week saying it "had not received inquiries from credit card companies or customers about these alleged activities." A spokeswoman for the New York company declined to comment further.

Sports Authority didn't return phone calls to its headquarters in Englewood, Colo.

TJX, the owner of stores including the T.J. Maxx, Marshalls, HomeGoods and A.J. Wright retail chains, says it has spent $202 million in expenses related to the breach, which compromised the cards of millions of its customers. Most of the money is being used to settle lawsuits brought by consumers and banks and to pay settlements with credit card associations.

This article was reported and written by Joseph Pereira, Jennifer Levitz and Jeremy Singer-Vine for The Wall Street Journal.

< previous |  1 | 2 |