August 6, 2008, 12:00 AM

Hackers stole more than 40 million payment card account numbers, U.S. says

In cases that go back years, a group of 11 U.S. and foreign computer hackers broke into the networks of nine retailers and stole information from more than 40 million payment card accounts, federal prosecutors have charged.

Paul Demery

Managing Editor, B2B E-commerce

In cases that go back years, a group of 11 U.S. and foreign computer hackers broke into the networks of nine retailers and stole information from more than 40 million payment card accounts, federal prosecutors have charged.

The U.S. Department of Justice and the U.S. Secret Service, who have cooperated in an investigation, say the criminal ring broke into the networks of retailers including TJX Companies, BJ’s Wholesale Club, OfficeMax, Boston Market Corp., Barnes & Noble Inc., The Sports Authority, Forever 21 and DSW Inc. The criminals then used stolen account numbers to withdraw tens of thousands of dollars at a time from bank ATMs and sold some of the account numbers over the Internet to other criminals, prosecutors charge.

Although prosecutors did not give a total dollar value related to the stolen payment card account data, TJX alone has said it has set aside more than $200 million to cover costs including settlements with banks and consumers. The breach at TJX, reportedly the largest among the nine retailers, had been publicized more than a year ago. But the inclusion of the other retailers in the government’s investigation broadens the known reach of the criminal activity.

Retailers, meanwhile, were quick to put the charges into perspective, noting that some of the theft occurred years ago and that retailers have generally made progress under payment card industry security standards to upgrade how they process and store payment card account data.

“Barnes & Noble takes the privacy and security of the personal information of our customers very seriously and we are reviewing this matter carefully,” the book retailer said in a prepared statement following the federal charges. “We regularly assess and enhance our security measures and want to assure our customers that it is safe to shop at Barnes & Noble. We will assist the government in its investigation.”

Boston Market notes that federal officials notified it in January 2004 that the computer network at one of its Florida stores had been breached but that the restaurant chain was unable to conclude with help from a third-party forensics accounting firm that an actual breach had occurred, a spokeswoman says. Nonetheless, the chain has followed payment card industry security standards since then and gets its network audited every year by firms certified by Visa and MasterCard, she adds.

Shoe retailer DSW issued a statement saying it was pleased with the government’s actions. “It is gratifying to know that the relentless work of law enforcement and other authorities regarding the 2005 theft of credit card and other purchase information from a portion of our customers has led to today’s indictment,” DSW said. “We will continue to cooperate fully with all efforts to ensure justice is served.”

Tom Donlea, executive director of the Merchant Risk Council, an organization that supports network security among retailers, says large retailers, or those with $75 million or more in annual sales, have done a good job in recent years in upgrading their handling of payment card data according to security standards by Visa, MasterCard, Discover Financial Services and other providers to the payment card industry.

Although he could not comment on the security efforts of smaller retailers, Donlea warns that as larger merchants harden their networks against fraud, criminals will search for softer targets among smaller retailers. He adds that it’s crucial for all merchants to cooperate with legal authorities in revealing any known fraudulent activity. “If retailers aren’t sharing known fraud with law enforcement, it will just come back to haunt them,” he says.

Prosecutors allege that the criminal ring-three U.S. citizens, one defendant from Estonia, three from Ukraine, two from China, one from Belarus and one whose home country is unknown-started out with a crude system of “wardriving” that involves driving through commercial areas with a Internet-connected laptop to find wireless access into store networks. Once able to access a company’s network servers, the suspects were able to install “sniffer” software programs that recorded credit and debit card account data, including passwords, account numbers and other information. They then encoded the account numbers onto the magnetic strips of blank payment cards that could then be used to withdraw cash from ATMs, and sold some of the account data over the Internet to other criminals.

Prosecutors also charge that the ring used the Internet and bank accounts in Eastern Europe to conceal and launder their proceeds.

A federal grand jury in Boston has indicted Miami resident Albert “Segvec” Gonzalez on charges of computer fraud, wire fraud, access device fraud, aggravated identify theft and conspiracy for his role in the alleged scheme. Gonzalez, who had been previously arrested by the Secret Service in 2003 for access device fraud, was working as an undercover informant for the Secret Service in the retail criminal ring when federal officials discovered he was also criminally involved in the ring, prosecutors said. Other charges in Boston were brought against Miami residents Christopher Scott and Damon Patrick Toey.

In San Diego, indictments were unsealed against alleged ring members from Ukraine, Estonia, Belarus and China. The indictment against Maksym “Maksik” Yastremskiv of Kharkov, Ukraine, alleges he received more than $11 million from his participation in the ring.

Comments

Sign In to Make a Comment

Comments are moderated by Internet Retailer and can be removed.

Not a member? Signup for free today!

Advertisement

Advertisement

Advertisement

Relevant Commentary

FPO

Jason Squardo / Mobile Commerce

Five tips for achieving high mobile search rankings

Searches on mobile devices will soon exceed those on computers, Google says. Retailers that keep ...

FPO

Sergio Pereira / B2B E-Commerce

Quill turns to its B2B customers for new ideas

Coming in April is a new section of Quill.com that will let customers and Quill ...

Advertisement