11 charged in theft of more than 40M card numbers
An international group of hackers is accused of breaking into nine retailers' networks and stealing more than 40 million credit and debit card numbers.
(CNN) -- Eleven people, including three U.S. citizens, were indicted Tuesday on a number of charges in connection with the hacking of nine major U.S. retailers and the theft and sale of more than 40 million credit and debit card numbers, federal authorities said.
The case is believed to be the largest hacking and identity theft case ever prosecuted by the Department of Justice. Indictments were returned or unsealed Tuesday in Boston, Mass., and San Diego, Calif., while earlier charges were brought in New York, prosecutors said.
Three of the defendants are from Estonia, three are from Ukraine, two are from China and one is from Belarus. The remaining individual is known only by an alias, authorities said, and the person's whereabouts are unknown.
Under the indictments, three Miami, Florida, men - Albert "Segvec" Gonzalez, Christopher Scott and Damon Patrick Toey - are accused of hacking into the wireless computer networks of retailers including TJX Companies (TJX, Fortune 500), whose stores include Marshall's and T.J. Maxx, BJ's Wholesale Club (BJ, Fortune 500), OfficeMax (OMX, Fortune 500), Barnes and Noble (BKS, Fortune 500) and Sports Authority, among others.
Once inside, the three installed "sniffer" programs designed to capture credit card numbers, passwords and account information as they moved through the retailers' card processing networks, said Michael Sullivan, the U.S. attorney in Boston.
"This has other personal numbers that could give them access to credit or debit cards that have already been issued and are active," Sullivan told CNN.
The probe began in late 2006, Sullivan said. In addition to the Justice Department, the Secret Service has been conducting an undercover investigation for more than three years through the U.S. attorney's office in San Diego, he said.
The three then concealed the data in encrypted computer servers they controlled in the United States and eastern Europe, the Department of Justice said in a statement. Some of the credit and debit card numbers were sold over the Internet to others, and were "cashed out" by encoding the numbers on the magnetic strips of blank cards. "The defendants then used these cards to withdraw tens of thousands of dollars at a time from ATMs," authorities said.
"Identity theft can involve a single criminal stealing the personal financial information of a single victim or, as it did here, it can involve a group of criminals stealing the credit card numbers of millions of people, many of whom may not even learn that they were victims for months or years," said Attorney General Michael Mukasey.
"Identity theft victims suffer well beyond the immediate financial costs; they suffer lost confidence in their privacy and security, as well as the emotional strain and the time it can take to repair damaged financial lives and credit histories. In many cases, the effects of these crimes can be felt for years after they are committed."
Gonzalez and the others used anonymous Internet-based currencies to conceal and launder their proceeds, as well as channeling funds through bank accounts in eastern Europe, the department said.
"There are ties between all three districts and ties internationally that go all the way to the Ukraine and Latvia," Sullivan said. "The 41 million credit and debit numbers were used internationally."
Gonzalez was previously arrested in 2003 by the Secret Service on suspicion of access device fraud, the Department of Justice said, and was working as a confidential informant for the agency. However, the Secret Service discovered during the investigation that Gonzalez was involved in this case, authorities said.
The California counts charge eight others with operating an international stolen credit and debit card distribution ring, selling stolen card information for personal gain -- millions of dollars, in at least one case, authorities said.
Three of the defendants in the newest case were also charged in May in a related indictment in New York, the Department of Justice said. Those charges allege the three were engaged in a scheme to hack into computer networks run by the Dave and Buster's restaurant chain and steal credit and debit card numbers from at least 11 locations. The three installed "sniffer" programs at the cash register terminals of the locations, capturing credit and debit card numbers, authorities said. At one location, the sniffer captured data for some 5,000 cards, causing some $600,000 in losses to the banks that issued the credit and debit cards.
Gonzalez is awaiting trial on the New York charges. Two of the international defendants are also in custody, police said.
Mukasey and other officials said the case serves as a reminder that computer crimes can cross international borders.
"We have been working with countries around the world to identify and address technical vulnerabilities in computer networks, and to ensure that laws and procedures are adequate to deal with these kinds of crime," Mukasey said. "And we have been working closely with our international partners to crack specific cases when they take us beyond our borders."