It was just that easy to invade the computer systems of nine national retailers: TJX (T.J. Maxx and Marshalls), Office Max, Barnes & Noble, Sports Authority, Boston Market, DSW Shoe Warehouse, Dave & Buster's, Forever 21, and B.J.'s Wholesale Club.
Such a mundane activity for such a huge illegal enterprise. One wonders what kind of car they drove or what radio station they listened to as they worked. Was there fast food involved?
And what exactly were the IT people at these nine retailers thinking? That 41 million figure could go much higher -- it represents how many card numbers were found on servers in Latvia and Ukraine. TJX, the largest victim and the one that pointed federal officials to the theft ring, has said 45.7 million of its customers were potentially compromised.
The 11 men, led by organizer Albert Gonzales of Miami, come from Estonia, the Ukraine, China, and Belarus as well as the United States. Stolen credit and debit card numbers were imprinted onto counterfeit credit card blanks in Eastern Europe, China, Phillippines, and Thailand and used to withdraw money from ATMs with stolen PIN codes.
Attorney General Michael Mukasey said the total dollar amount of the alleged theft is "impossible to quantify at this point." The Wall Street Journal talked to several retailers named in the indictments, including Boston Market and Barnes & Noble, who said they had never reported a security breach.
In Boston, U.S. Attorney Michael J. Sullivan said officials still haven't identified all the victims. "I suspect that a lot of people are unaware that their identifying information has been compromised," he said.
How did your credit card number get to Latvia? "War driving" is the practice of tooling around shopping centers looking for open wireless connections.
In the case of TJX, Christopher Scott of Miami got into a Florida Marshalls store's wireless network in July 2005 and downloaded payment info. Eventually, the theft ring was able to establish a virtual private network connection to TJX headquarters in Framingham, Mass., and install a sniffer program on its payment processing server. Those numbers went to middlement in Eastern Europe who wholesaled them to thieves.
TJX didn't discover the breach until December 2006 and announced it in January 2007. The retailer paid out $123 million in legal and reimbursement costs related to the data theft in its last fiscal year.
The hackers installed sniffers on cash register terminals in at least 11 Dave & Buster's locations and captured card numbers as they were processed. According to the Boston Globe, a packet sniffer at one restaurant captured about 5,000 debit and credit card numbers and caused $600,000 in losses.
Gaping holes in wireless security are everywhere. My husband, a Mac consultant in Denver, kept wireless connection finder iStumbler running on his MacBook one day while he drove across town to a client's office. It picked up more than 200 open wireless points from offices, stores, and homes, including one named "GET YOUR OWN F***ING INTERNET." This might be funny except it's not.
Gonzales managed to keep stealing credit card numbers even as he served as a federal informant, starting in 2003. The return of $1.6 million is being sought from Gonzales; conspirator Maksym Yastremskiy of Ukraine earned $11 million from the theft ring.
According to the New York Times, "The name and whereabouts of the final defendant are unknown." This does not inspire confidence either.
Photo by Jeff Sandquist via Flickr, CC 2.0