BOSTON (Reuters) - U.S. authorities charged 11 people from five countries with stealing tens of millions of credit and debit card numbers from major retailers, including TJX Cos (TJX.N), in one of the largest identity-theft schemes on record.
The U.S. Attorney in Boston said on Tuesday the ring also stole 41 million credit and debit card numbers from retailers BJ’s Wholesale Club BJ.N,OfficeMax OMX.N, Boston Market, Barnes & Noble (BKS.N), Sports Authority, Forever 21 and DSW (DSW.N).
TJX, which owns the Marshall’s and TJ Maxx chains, was the hardest hit — acknowledging last year that data from 45.7 million credit cards was stolen from its computers.
The scheme originated with a Miami man — a one-time government informant — who drove around Miami with a laptop computer looking to hack into wireless networks, authorities said. It ended with consumers, retailers and banks losing tens of millions of dollars due to fraudulent transactions.
Three people from the United States, three from the Ukraine, two from China, one from Estonia and one from Belarus were all charged. An 11th defendant was not identified.
“Computer crimes are not confined within national borders,” U.S. Attorney General Michael Mukasey told reporters at the federal courthouse in Boston. “Criminals can now operate from almost anywhere on the global to steal personal information from almost anywhere on the globe.”
The ring, which authorities said was headed by Albert Gonzalez — who invited a co-conspirator to live rent-free in his Miami apartment in exchange for his help with the scheme — hacked into retailers’ computer networks to steal the data, which was stored on computer servers in the U.S. and Eastern Europe.
The ring sold the numbers to people in the U.S. and Europe for thousands of dollars. The buyers then withdrew tens of thousands of dollars at a time from automated teller machines, officials said.
Authorities did not know the total amount of money stolen, but Michael Sullivan, the U.S. Attorney in Boston, said it was in the “tens of millions of dollars.”
Gonzalez, being held by New York authorities on another computer hacking charge, was charged with computer fraud, wire fraud, access-device fraud, aggravated identity theft and conspiracy.
Gonzalez was working as an informant in a separate U.S. Secret Service hacking investigation when authorities learned he was using information from their probe to help fellow hackers avoid arrest, authorities said.
“Obviously we weren’t happy that someone we had working for us as an informant was double-dealing,” said Michael Sullivan, director of the U.S. Secret Service.
Gonzalez faces life in prison if convicted on all charges.
TJX agreed since disclosing the breach to pay more than $60 million (30 million pounds) to credit card networks Visa (V.N) and MasterCard (MA.N) to settle complaints related to the theft — one of the largest on record based on the number of accounts involved.
“The sheer number of retailers attacked by these cyber criminals demonstrates the much broader challenges in protecting sensitive consumer data from this increasing threat,” said Sherry Lang, senior vice president at TJX.
The vulnerability that Gonzalez exploited has been around “as long as we have had Wi-Fi” wireless networks,” said Ted Julian, vice president of strategy and marketing at Application Security Inc, a maker of database security software.
With multiplying entry points into corporate networks via wireless store networks, cash registers and even in-store computer kiosks for job applicants, hackers have more weak spots to exploit.
Corporations may need to protect specific internal databases that contain sensitive consumer data, Julian said.
“Rather than locking every single door, let’s get all the safes,” Julian said. “Not that we don’t want to lock the doors, but if that worked, then we wouldn’t be in this mess.”
Editing by Mark Porter and Jeffrey Benkoe