The Big Enchiladas Get Caught!

We've dribbling out cases of spammers and hackers recently arrested. Now we can report on the largest ID theft case in history!



11 are charged with massive ID theft:
41 million credit card numbers allegedly stolen in global theft ring

This is the version in The Boston Globe, August 6, 2008

A ring of people spread across the globe hacked into nine major US companies and stole and sold more than 41 million credit and debit card numbers from 2003 to 2008, costing the companies and individuals hundreds of millions of dollars, federal law enforcement officials said yesterday.

"So far as we know, this is the single largest and most complex identity theft case ever charged in this country," US Attorney General Michael Mukasey said at a news conference at the John Joseph Moakley US Courthouse in Boston.

A grand jury indictment released yesterday charged that Albert "Segvec" Gonzalez of Miami, the alleged ringleader, and his 10 conspirators cruised around with a laptop computer and tapped into accessible wireless networks.

They then hacked into the networks of TJX, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Dave & Buster's, Sports Authority, Forever 21, and DSW. After gaining access to the systems, they installed programs that captured card numbers, passwords, and account information, officials said.

In addition to Gonzalez, two other Miami residents were charged in Boston and eight other alleged conspirators were charged in San Diego. The defendants - one from Estonia, three from Ukraine, two from China, one from Belarus, and one of unknown origin - allegedly concealed the data in encrypted computer servers they controlled in Europe and the United States. They sold some of the numbers, via the Internet, to other criminals, authorities alleged.

The suspected hackers also encoded some of the stolen numbers on the magnetic strips of blank credit or debit cards, which were then used to withdraw tens of thousands of dollars from ATM machines, officials said.

It was not clear how much of the stolen information had been used.

Rene Palomino Jr., a Miami lawyer representing Gonzalez, said his client will be proven innocent. "The government will have an uphill battle to prove their allegations," said Palomino, who declined to comment on the specific allegations.

Lawyers for the other men charged in Boston did not return calls.

Part of the scheme came to the public's attention early last year, when TJX, the Framingham-based retailer that runs T.J. Maxx, Marshalls, and other stores, found that credit and debit card information had been stolen from its computer systems.

In a statement yesterday, TJX officials called on credit card companies to improve security measures to protect consumers.

"The sheer number of retailers attacked by these cyber criminals demonstrates the much broader challenges in protecting sensitive consumer data from this increasing threat," said Sherry Lang, a TJX spokeswoman. "Broader action beyond retailers alone is required to protect consumer data. Banks and the US payment card industry must join retailers and work together."

Lang called for installing proven card security measures that are in use throughout much of the world.

Ted Julian, vice president of strategy and marketing for Application Security Inc. in New York, said the indictments reflect the changing tactics of cyber-criminals. Rather than go after individual consumers, hackers are targeting major retailers, such as wireless networks, to access troves of personal data.

"There are thousands of conduits to customer data. Security isn't working and TJX is the poster child of a big data breach," Julian said. "What is needed is a different approach to secure that data far more directly where it lives."

Officials at BJ's Wholesale Club of Natick, which settled charges in 2005 with the Federal Trade Commission that it failed to take appropriate security measures to protect the sensitive information of thousands of its customers, said they are pleased by the case's progress.

"We instituted significant system upgrades . . . and we are continuously employing measures to help protect data against the ever-increasing sophistication of thieves," the company said in a statement.

At yesterday's news conference, Mukasey said that over the past three years, officials and undercover agents from various federal agencies received help from investigative agencies worldwide.

"The message is simply this: We will track you down wherever you are in the world," Mukasey said. "We will see that you are arrested, and you will go to jail."

Officials said Gonzalez was previously arrested by the Secret Service in 2003 for access device fraud. The Secret Service later discovered that Gonzalez, who was working as a confidential informant for the agency, had become involved in the credit card theft case. He is now in a federal prison in New York awaiting trial on related charges.

Christopher Scott and Damon Patrick Toey of Miami were also charged in Boston. Maksym "Maksik" Yastermskiy, Dzmitry Burak, and Sergey Storchak of Ukraine; Aleksandr "Jonny Hell" Suvorov of Estonia; Hung-Ming Chiu and Zhi Zhi Wang of China; Sergey Pavlovich of Belarus; and a person known only by the online nickname of "Delpiero" were charged in San Diego.

The indictments charge the defendants with crimes related to the sale of the stolen credit card data. Charges included conspiracy to possess unauthorized access devices, possession of unauthorized access devices, trafficking in unauthorized access devices, identity theft, aggravated identity theft, aiding and abetting, trafficking in unauthorized access devices, conspiracy to launder monetary instruments, and trafficking in counterfeit access devices.

The San Diego charges allege that Yastremskiy, Suvorov, Chiu, Wang, Delpiero, Pavolvich, Burak, and Storchak operated an international stolen credit and debit card distribution ring with operations from Ukraine, Belarus, Estonia, China, the Philippines, and Thailand. The indictments allege Yastremskiy earned more than $11 million from his illicit operation.

In May, prosecutors charged Gonzalez, Suvorov, and Yastremskiy with hacking into computer networks run by the Dave & Buster's restaurant chain and stealing credit and debit card numbers from at least 11 locations. They allegedly gained access to the cash register terminals and installed at each restaurant a computer code configured to capture credit and debit card numbers as the restaurants processed them.

At one restaurant, the so-called "packet sniffer" captured data for about 5,000 credit and debit cards, eventually causing losses of at least $600,000 to the financial institutions that issued the credit and debit cards, authorities said.

Richard Walega, a New Bedford city employee who had $6,700 in fraudulent charges appear on his bank card weeks after shopping for Christmas presents at a T.J. Maxx store in Westborough in 2006, said he was "aghast" at the scope of the crimes.

Walega said he hasn't returned to T.J. Maxx and is still awaiting a settlement from the company, which has offered vouchers, cash benefits, credit monitoring, identity theft insurance, and reimbursements to eligible victims.

"It's totally mind-boggling," he said. "I hope this is the end of the trail."

That our security systems have been so porous and weak is the real story here. that corporations still don't have robust defenses against ID theft is the tragedy!