21 October 2016
Visit dh.com

US authorities bust card hacking gang in biggest ever ID fraud case

06 August 2008  |  12053 views  |  0 digital fingerprints

US authorities have indicted an international criminal gang thought to be responsible for the theft and sale of over 40 million credit and debit card numbers that were hacked from the computer systems of nine major US retailers, including TJX.

In what is believed to be the largest hacking and ID theft case ever prosecuted by the Department of Justice (DoJ), three US citizens, one man from Estonia, three from Ukraine, two from China and one from Belarus, as well as another individual who is only known by an online alias, have been charged with numerous counts of fraud and ID theft.

In an indictment by a federal grand jury in Boston, Albert "Segvec" Gonzalez, of Miami, was charged with computer fraud, wire fraud, access device fraud, aggravated ID theft and conspiracy for his role in the scheme.

Gonzalez, alongside Christopher Scott and Damon Patrick Toey, all from Miami, are accused of hacking into the wireless computer networks of retailers, including TJX, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.

The defendants allegedly installed "sniffer" programs that would capture card numbers, as well as password and account information, as they moved through the retailers' credit and debit processing networks.

Once the data was harvested it was concealed in encrypted computer servers that the defendants controlled in Eastern Europe and the US, says the DoJ. Some of the card numbers were sold to other criminals in the US and Eastern Europe over the Internet.

The stolen numbers were "cashed out" by encoding card numbers on the magnetic strips of blank cards. The DoJ says the defendants then used these cards to withdraw tens of thousands of dollars at a time from ATMs.

Prosecutors say Gonzalez and others were allegedly able to conceal and launder their fraud proceeds by using anonymous Internet-based currencies both within the US and abroad and by channelling funds through bank accounts in Eastern Europe.

Meanwhile, in related charges bought in San Diego, eight people are accused of operating an international stolen credit and debit card distribution ring.

In May Gonzalez, and two of the men charged in San Diego were also charged in a related indictment in New York alleging that the trio hacked into computer networks run by the Dave & Buster's restaurant chain and stole card numbers from at least 11 locations.

Gonzalez had been arrested by the secret service for access device fraud in 2003 and was actually working for the agency as an informant. But during the course of the investigation it was discovered he was involved in the activities, says the DoJ. He now faces a maximum penalty of life in prison if he is convicted of all the charges alleged in the Boston indictment.

In a statement released by the DoJ, US Attorney General, Michael Mukasey, says: "So far as we know, this is the single largest and most complex identity theft case ever charged in this country."

US Attorney Michael Sullivan, adds: "While technology has made our lives much easier it has also created new vulnerabilities. This case clearly shows how strokes on a keyboard with a criminal purpose can have costly results."

Convictions have already been made in connection to the stolen data. Last September the ringleader of a gang that used financial information stolen during the computer hacking at TJX was sentenced to five years in prison and ordered to pay nearly $600,000 in restitution.

Irving Escobar, 19, from Miami, pleaded guilty to charges that he participated in a criminal operation that used counterfeit cards featuring credit card data stolen data from the TJX data breach in December 2006.

Five other gang members who were accused of playing lesser roles in the operation also pleaded guilty to similar charges in Florida courts.

However, this gang is not believed to have been involved in the actual hacking at TJX.

UK card cloner jailed

On a smaller scale, a UK petrol station worker who used a fake card reader to clone the bank cards of hundreds customers in the Leicestershire village of Houghton-on-the-Hill has been jailed.

Abdul Samad Mohamed Raik, 33, used the card details of more than 500 cards to steal around £175,000 between October and December last year.

Raik gave himself up to police in March and admitted obtaining property by deception. He was sentenced to two years and nine months.

Comments: (0)

Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

TJX settles with MasterCard over security breach

TJX settles with MasterCard over security breach

03 April 2008  |  7300 views  |  0 comments
TJX settles with banks over credit card data breach

TJX settles with banks over credit card data breach

19 December 2007  |  8986 views  |  0 comments
TJX settles with Visa

TJX settles with Visa

30 November 2007  |  5509 views  |  0 comments
TJX breach gets bigger with 94 million card numbers exposed

TJX breach gets bigger with 94 million card numbers exposed

25 October 2007  |  9291 views  |  0 comments
TJX card fraud gang leader jailed

TJX card fraud gang leader jailed

18 September 2007  |  7558 views  |  0 comments
Ukrainian man linked to TJX hacking

Ukrainian man linked to TJX hacking

22 August 2007  |  6209 views  |  0 comments
TJX hack is biggest ever with 45.7 million card numbers stolen

TJX hack is biggest ever with 45.7 million card numbers stolen

29 March 2007  |  13990 views  |  1 comments
Massachusetts attorney general to probe TJX data breach

Massachusetts attorney general to probe TJX data breach

09 February 2007  |  8364 views  |  0 comments
Visit www.i2cinc.comFind out moreVisit capgemini.com

Top topics

Most viewed Most shared
The bank of the future will be invisible - KPMGThe bank of the future will be invisible -...
31264 views comments | 114 tweets | 210 linkedin
New EU rules could cost UK firms £122bn in cybersecurity fines - PCI SSCNew EU rules could cost UK firms £122...
10583 views comments | 31 tweets | 36 linkedin
Barclays and Citi test blockchain tech for equity swaps processingBarclays and Citi test blockchain tech for...
8265 views comments | 24 tweets | 16 linkedin
ING takes fintech startup route to UK relaunchING takes fintech startup route to UK rela...
6810 views comments | 29 tweets | 21 linkedin
Thinking Capital launches AI-powered chatbotThinking Capital launches AI-powered chatb...
6392 views comments | 12 tweets | 8 linkedin

Featured job

Find your next job