11 Charged in Global Theft, Sale Of 40 Million Card Numbers

Federal prosecutors charged 11 people yesterday with the theft and sale of more than 40 million credit and debit card numbers from at least nine U.S. retailers in what they said was one of the largest and most complex hacking and identity theft cases ever brought.

Officials with the Department of Justice said the people indicted were part of a criminal ring that stretched from the United States to Eastern Europe to East Asia, highlighting the global nature of computer crime. Charges of conspiracy, computer intrusion, fraud and identity theft have been brought against people from Estonia, Ukraine, China and Belarus, as well as the United States.

One person, known only by an online alias, Delpiero, has not been located.

Using sophisticated hacking techniques that included cruising for wireless networks, officials said the accused breached security systems to obtain credit and debit numbers from shoppers at major retailers such as T.J. Maxx and Marshalls, which are owned by TJX Cos.; Barnes & Noble; BJ's Wholesale Club; and Sports Authority.

"Cases like this send a clear message to those who might be tempted to abuse our computer networks to steal information and harm law-abiding people and businesses: If you do, we will track you down wherever you are in the world, we will arrest you, and we will send you to jail," Attorney General Michael B. Mukasey said at a news conference yesterday.

He said the case highlights the increasing vulnerability of personal information to theft.

"Millions of Americans have had their identities compromised each year," he said. "The annual costs to American citizens and businesses are in the billions."

The thefts began in 2003 and continued through this year. But it was not until February 2007 that the largest incident came to light -- that TJX had suffered a data breach of at least 45 million credit and debit cards from customers in the United States, Britain and Canada going back to 2005.

It was not clear until yesterday that all the breaches, which also affected OfficeMax, Boston Market, Forever 21 and DSW, were related.

"This was a big deal -- that they finally proved it's all linked," said Avivah Litan, an analyst with Gartner Consulting. "It's the same guys, the same criminals."

A grand jury yesterday indicted Albert "Segvec" Gonzalez of Miami on charges of computer fraud, wire fraud, access device fraud, aggravated identity theft and conspiracy. According to the indictment, Gonzalez and his co-conspirators obtained the credit card numbers by "wardriving," or driving around in commercial areas of Miami looking for accessible WiFi networks. They allegedly hacked into those networks on their laptop and installed "sniffer" programs that captured card numbers, passwords and other personal information.

According to officials, their first hit was BJ's in 2003. Two years later, one of Gonzalez's alleged conspirators was able to access TJX's customer data by repeatedly hacking into the computers of a Marshalls in Miami. In May 2006, they allegedly uploaded a program that gave them access to credit card information as it was being processed.