The Department of Justice announced Tuesday that it had charged 11 people in connection with the hacking of nine major U.S. retailers and the theft and sale of more than 40 million credit and debit card numbers.
It is believed to be the largest hacking and identity theft case ever prosecuted by the Department of Justice. The charges include conspiracy, computer intrusion, fraud and identity theft. Three of the defendants are U.S. citizens, while the others are from places such as Estonia, Ukraine, Belarus and China.
"So far as we know, this is the single largest and most complex identity theft case ever charged in this country," said Attorney General Michael Mukasey. "It highlights the efforts of the Justice Department to fight this pernicious crime and shows that, with the cooperation of our law enforcement partners around the world, we can identify, charge and apprehend even the most sophisticated international computer hackers."
The indictment returned Tuesday by a federal grand jury in Boston alleges that the people charged hacked into the wireless computer networks of retailers including TJX Cos, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.
"While technology has made our lives much easier it has also created new vulnerabilities," U.S. Attorney Michael J. Sullivan said in a statement. "This case clearly shows how strokes on a keyboard with a criminal purpose can have costly results."
The indictment alleges that the hackers installed programs to capture card numbers, passwords and account information, and then concealed the data in computer servers that they controlled in the U.S. and Eastern Europe.
"They used sophisticated computer hacking techniques, breaching security systems and installing programs that gathered enormous quantities of personal financial data, which they then allegedly sold to others or used themselves," Mukasey said. "And in total, they caused widespread loses by banks, retailers, and consumers."
The heist was a black eye for retailers like TJX. The company, which initially disclosed the data breach in January 2007, said a few months later that at least 45.7 million cards were exposed to possible fraud in a breach of its computer systems that began in July 2005. Court filings by some banks that sued TJX put the number of cards affected at more than 100 million, based on estimates by officials with Visa and MasterCard, who were deposed in the suit.
In May, TJX said it won support from Mastercard-issuing banks for a settlement that will pay them as much as $24 million to cover costs from the data breach. A similar agreement reached last November with Visa-card issuing banks also was overwhelmingly approved. That agreement set aside as much as $40.9 million to help banks cover costs including replacing customers payment cards and covering fraudulent charges.
Under the indictments unsealed Tuesday, three of the defendants are U.S. citizens, one is from Estonia, three are from Ukraine, two are from China and one is from Belarus. One individual is only known by an alias online, and his place of origin is unknown.
In the Boston indictment, Albert "Segvec" Gonzales of Miami, who is accused of leading the scheme, was charged with computer fraud, wire fraud, access device fraud, aggravated identity theft and conspiracy. He faces a maximum penalty of life in prison if he is convicted of all the charges.
Gonzalez was previously arrested by the Secret Service in 2003 for access device fraud. During the course of this investigation, the Secret Service discovered that Gonzalez, who was working as a confidential informant for the agency, was criminally involved in the case. Because of the size and scope of his criminal activity, Gonzalez faces a maximum penalty of life in prison if he is convicted of all the charges alleged in the Boston indictment.
Indictments were unsealed Tuesday in San Diego against Maksym "Maksik" Yastremskiy of Kharkov, Ukraine, and Aleksandr "Jonny Hell" Suvorov of Sillamae, Estonia. The indictments charge them with crimes related to the sale of the stolen credit card data.
In May 2008, Gonzalez, Suvorov and Yastremskiy also were charged in a related indictment in the Eastern District of New York. The New York charges allege that the trio was engaged in a sophisticated scheme to hack into computer networks run by the Dave & Buster's restaurant chain, and stole credit and debit card numbers from at least 11 locations.
Furthermore, indictments against Hung-Ming Chiu and Zhi Zhi Wang, both of China, and a person known only by the online nickname "Delpiero" were also unsealed in San Diego.
"Computer hacking and identity theft pose serious risks to our commercial, personal and financial security," said U.S. Attorney for the Eastern District of New York Benton J. Campbell. "Hackers who reach into our country from abroad will find no refuge from the reach of U.S. criminal justice."