11 People Charged in Largest ID Theft Case

This article is from the archive of The New York Sun before the launch of its new website in 2022. The Sun has neither altered nor updated such articles but will seek to correct any errors, mis-categorizations or other problems introduced during transfer.

The New York Sun

CHIGCAO — The Justice Department charged 11 people with stealing more than 40 million credit- and debit-card numbers from nine retailers including T.J. Maxx, calling it the largest American identity theft prosecution.

The defendants tapped the computer networks of TJX Cos.’ Marshalls, BJ’s Wholesale Club Inc., Barnes & Noble Inc. bookstores, Sports Authority, Boston Market Corp., OfficeMax Inc., Dave & Buster’s restaurants, DSW Inc. shoe stores, and Forever 21, the government said yesterday.

“This is the single largest and most complex identity theft case that has ever been charged in this country,” Attorney General Mukasey said at news conference in Boston. The indictment “highlights our increasing vulnerability to the theft of personal information.”

The cost of the identity-theft scheme to citizens may total billions of dollars, Mr. Mukasey said. Some people may not learn they’ve been victims “for months or years,” he added.

Indictments by federal grand juries in Boston and San Diego charged three American residents and defendants from other countries including Estonia, Ukraine, and China with identity theft, fraud, and conspiracy, the Justice Department said in a statement.

They allegedly hacked into retailers’ data systems by driving around the stores with a laptop, kept the information in personal computers in America and eastern Europe and converted some of it into ready-to-use bank cards, according to federal prosecutors.

The defendants installed “sniffer” software in the retailers’ computer systems to capture credit and debit-card numbers along with passwords and account information, Mr. Mukasey said. Some of them encoded credit-card numbers on blank automated-teller cards to withdraw tens of thousands of dollars at a time from ATM machines, the government said.

Some of the same defendants were indicted in Brooklyn, New York, federal court in May, the government said.

The case began as three separate investigations of identity theft in southern California, New York, and Boston. The probes were “eventually coordinated” after investigators “realized that one ring of people were involved,” Mr. Mukasey said.

TJX, the Framingham, Massachusetts-based owner of the T.J. Maxx and Marshalls discount chains, said in January 2007 that hackers had broken into its computer system and stolen about 45.7 million credit- and debit-card numbers.

The retailer, which offers designer-label clothes and home goods at discounted prices, in March settled a complaint with the Federal Trade Commission. Under the agreement, TJX must start an information-security program and undergo an external audit every other year for 20 years.

TJX also settled related claims by Visa Inc. and MasterCard Inc. In April. The retailer agreed to pay as much as $24 million to cover costs incurred by banks that issue MasterCards.

“We have worked very closely with law enforcement authorities as they conducted an extensive international investigation into this complex crime,” a TJX spokeswoman, Sherry Lang, said in an e-mail statement. “The sheer number of retailers attacked by these cyber-criminals demonstrates the much broader challenges in protecting sensitive consumer data from this increasing threat.”

In 2005, BJ’s Wholesale Club and DSW Inc., the shoe discounter, also settled Federal Trade Commission allegations that they failed to protect customer credit card information from theft by hackers.

DSW is cooperating with the U.S. probe, DSW General Counsel Bill Jordan said in an e-mail statement. The FTC alleged that both companies failed to use “readily available security measures” to prevent hackers from stealing data off their wireless networks used to verify consumers’ information.

“This is an old breach. It’s from 2004, so we are pleased that progress is being made on this,” a BJ’s spokeswoman, Julie Somers, said. “We fully cooperated with the U.S. Attorney’s office and will continue to do so if asked.”

The company’s system now meets all credit card industry standards for protection of customer data, she said.


The New York Sun

© 2024 The New York Sun Company, LLC. All rights reserved.

Use of this site constitutes acceptance of our Terms of Use and Privacy Policy. The material on this site is protected by copyright law and may not be reproduced, distributed, transmitted, cached or otherwise used.

The New York Sun

Sign in or  Create a free account

or
By continuing you agree to our Privacy Policy and Terms of Use