Aug 6, 2008 12:07 am US/Pacific
11 Charged With Stealing 41M Credit Card Numbers
SAN JOSE (CBS 5 / AP / BCN) ―
Eleven people, including a U.S. Secret Service informant, have been charged in connection with the hacking of nine major retailers and the theft and sale of more than 41 million credit and debit card numbers, the U.S. Department of Homeland Security announced Tuesday.
"This is a case of criminality. We're talking about a huge, long-term investigation with a huge impact on people," Homeland Security Secretary Michael Chertoff said.
Chertoff was in San Jose on Tuesday meeting with technology business leaders of Silicon Valley about strengthening the security of the Internet without compromising its open architecture.
The data breach outlined was believed to be the largest hacking and identity theft case ever prosecuted by federal authorities, who said the suspects were charged with conspiracy, computer intrusion, fraud and identity theft.
The indictments returned Tuesday by a federal grand jury alleged that the suspects hacked into the wireless computer networks of retailers including TJX Cos., BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW and set up programs that captured card numbers, passwords and account information.
"They used sophisticated computer hacking techniques that would allow them to breach security systems and install programs that gathered enormous quantities of personal financial data, which they then allegedly either sold to others or used themselves," U.S. Attorney General Michael Mukasey said.
Authorities called the total dollar amount of the alleged theft "impossible to quantify at this point." Justice Department officials said that while most of the victims were in the United States, officials still hadn't identified all the people who had a card number stolen.
Prosecutors said the alleged thieves weren't computer geniuses, just opportunists who used a technique called "wardriving," which involved cruising through different areas with a laptop and looking for accessible wireless Internet signals. Once they located a vulnerable network, they installed so-called "sniffer programs" that captured credit and debit card numbers as they moved through a retailer's processing networks.
The information was stored on two servers in Ukraine and Latvia—one with more than 25 million credit and debit card numbers and another with more than 16 million numbers, officials said.
The heist was a black eye for retailers like TJX. The company initially disclosed the data breach in January 2007 but said a few months later that at least 45.7 million cards were exposed to possible fraud in a breach of its computer systems that began in July 2005. Court filings by some banks that sued TJX put the number of cards affected at more than 100 million, based on estimates by officials with Visa and MasterCard, who were deposed in the suit.
In May, TJX said it won support from MasterCard-issuing banks for a settlement that will pay them as much as $24 million to cover costs from the breach. A similar agreement reached last November with Visa-card issuing banks set aside as much as $40.9 million to help banks cover costs including replacing customers' payment cards and covering fraudulent charges.
According to the indictments unsealed Tuesday, three of the defendants are U.S. citizens, one is from Estonia, three are from Ukraine, two are from China and one is from Belarus. One individual is known only by an alias online, and his place of origin is unknown.
In the indictments, the alleged ringleader Albert "Segvec" Gonzalez of Miami was charged with computer fraud, wire fraud, access device fraud, aggravated identity theft and conspiracy. Gonzalez, who is in custody in New York, faces a maximum penalty of life in prison if he is convicted of all the charges.
Gonzalez was a U.S. Secret Service informant who helped the agency take over a Web site being used to transmit stolen identifiers and stolen credit card numbers, according to Secret Service Director Mark Sullivan.
"That was the first time ever that a computer system was wiretapped," he said.
But he said the Secret Service later found out that Gonzalez had also been feeding criminals information about ongoing investigations—even warning off at least one person.
"Obviously, we weren't happy that a person working for us as an informant was double-dealing," Sullivan said.
Indictments were also unsealed Tuesday in San Diego against Maksym "Maksik" Yastremskiy of Kharkov, Ukraine, and Aleksandr "Jonny Hell" Suvorov of Sillamae, Estonia. They were charged with crimes related to the sale of the stolen credit card data.
Yastremskiy was arrested when he traveled to Turkey on vacation in July 2007. He is facing related Turkish charges, and U.S. officials said they have requested his extradition.
Justice Department officials said Suvorov was arrested on the San Diego charges by German officials in March when he traveled there on vacation. He was in custody awaiting the resolution of extradition proceedings.
Indictments against Hung-Ming Chiu and Zhi Zhi Wang, both of China, and a person known only by the online nickname "Delpiero" were also unsealed in San Diego.
A Justice Department spokeswoman said those three suspects, together with five others, are still at large. Officials did not give an arraignment date for Gonzalez.
In May, federal prosecutors in New York indicted Yastremskiy, Suvorov and Gonzalez on 27 counts of fraud and identity theft. The charges stemmed from allegations that they hacked into a national restaurant chain's computerized cash registers and stole credit card information from customers. Eleven Dave & Buster's restaurants around the United States suffered at least $600,000 in losses, prosecutors said.
(© CBS Broadcasting Inc. All Rights Reserved. This material may not be published, broadcast, rewritten or redistributed. The Associated Press and Bay City News contributed to this report.)
