By Simone Baribeau and Ellen Nakashima
Washington Post Staff Writers
Wednesday, August 6, 2008
Federal prosecutors charged 11 people yesterday with the theft and sale of more than 40 million credit and debit card numbers from at least nine U.S. retailers in what they said was one of the largest and most complex hacking and identity theft cases ever brought.
Officials with the Department of Justice said the people indicted were part of a criminal ring that stretched from the United States to Eastern Europe to East Asia, highlighting the global nature of computer crime. Charges of conspiracy, computer intrusion, fraud and identity theft have been brought against people from Estonia, Ukraine, China and Belarus, as well as the United States.
One person, known only by an online alias, Delpiero, has not been located.
Using sophisticated hacking techniques that included cruising for wireless networks, officials said the accused breached security systems to obtain credit and debit numbers from shoppers at major retailers such as T.J. Maxx and Marshalls, which are owned by TJX Cos.; Barnes & Noble; BJ's Wholesale Club; and Sports Authority.
"Cases like this send a clear message to those who might be tempted to abuse our computer networks to steal information and harm law-abiding people and businesses: If you do, we will track you down wherever you are in the world, we will arrest you, and we will send you to jail," Attorney General Michael B. Mukasey said at a news conference yesterday.
He said the case highlights the increasing vulnerability of personal information to theft.
"Millions of Americans have had their identities compromised each year," he said. "The annual costs to American citizens and businesses are in the billions."
The thefts began in 2003 and continued through this year. But it was not until February 2007 that the largest incident came to light -- that TJX had suffered a data breach of at least 45 million credit and debit cards from customers in the United States, Britain and Canada going back to 2005.
It was not clear until yesterday that all the breaches, which also affected OfficeMax, Boston Market, Forever 21 and DSW, were related.
"This was a big deal -- that they finally proved it's all linked," said Avivah Litan, an analyst with Gartner Consulting. "It's the same guys, the same criminals."
A grand jury yesterday indicted Albert "Segvec" Gonzalez of Miami on charges of computer fraud, wire fraud, access device fraud, aggravated identity theft and conspiracy. According to the indictment, Gonzalez and his co-conspirators obtained the credit card numbers by "wardriving," or driving around in commercial areas of Miami looking for accessible WiFi networks. They allegedly hacked into those networks on their laptop and installed "sniffer" programs that captured card numbers, passwords and other personal information.
According to officials, their first hit was BJ's in 2003. Two years later, one of Gonzalez's alleged conspirators was able to access TJX's customer data by repeatedly hacking into the computers of a Marshalls in Miami. In May 2006, they allegedly uploaded a program that gave them access to credit card information as it was being processed.
This year, Gonzalez allegedly dumped 25 million distinct credit and debit card numbers onto a Ukrainian server and 16 million onto a Latvian server. The pilfered credit card information, some of which was stored on computer servers in the United States and Eastern Europe, was used to encode magnetic strips of blank cards, which were used to withdraw tens of thousands of dollars from ATMs.
Gonzalez had been arrested by the Secret Service in 2003 and later became a confidential informant for the agency. During the course of the hacking investigation, officials said they discovered that he allegedly was involved.
He and at least two others, who are in Turkey and Germany, have been detained. If convicted, Gonzalez could face life in prison.
Also yesterday, indictments were unsealed in San Diego against Maksym "Maksik" Yastremskiy of the Ukraine; Aleksandr "Jonny Hell" of Estonia; and Hung-Ming Chiu and Zhi Zhi Wang, both of China.
In San Diego, Sergey Pavolvich of Belarus, and Dzmitry Burak and Sergey Storchak of the Ukraine, were charged with conspiracy to traffic in unauthorized access devices. Two Miami men, Christopher Scott and Damon Patrick Toey, were also named as part of the conspiracy.
The indictments are the result of a three-year undercover investigation conducted out of the San Diego Field Office of the U.S. Secret Service.
The investigation involved the Justice Department; U.S. attorneys' offices for the District of Massachusetts, the Southern District of California and the Eastern District of New York; the Internal Revenue Service and the Secret Service.
"This truly has been a collaboration," said Secret Service Director Mark Sullivan. "This is the largest, most sophisticated identity-theft ring ever prosecuted by the DOJ."
Sullivan said that officials had taken over a Web site that various criminals were using and that this was the first time a computer system had been wiretapped.
Litan said the indictments are a "big victory" for law enforcement. "But the big question is, How many didn't they get?"