Tag Archive for ID Theft

Here on Long Island. Hacker Admits Guilt, Forfeits $1.65 million

Identity TheftJust over a year ago I reported on the Justice Department’s indictment of 11 “individuals” involved in an identity theft ring that targeted wireless retail networks of TJX Companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, and DSW, among others. They were charged for stealing over 130 million credit and debit card numbers.

Albert Gonzalez, hacker

Albert Gonzalez, hacker

One of those indicted was a U.S. citizen named Albert Gonzalez, age 28. Gonzalez, under arrest on one ID theft case, had been working as an informant in a second case, and was found to be criminally involved in a third identity theft ring. Over the weekend he admitted his guilt in an older case, and agreed to forfeit assets gained by crimes.  Among his assets were a condominium in Miami, a 2006 BMW, various computers and laptops, a Glock 27 firearm, a Nokia cell phone, a Tiffany diamond ring and three Rolex watches.

tjxGonzalez was scheduled to go to trial Sept. 14 in federal court in Central Islip, N.Y. His charges included operating a fraud scheme from April through September in 2007, and hacking into computers at the corporate headquarters of the Dave & Buster’s restaurant chain where he stole debit and credit card numbers. He faces 15 years to 25 years in prison.

#1 in Identity Theft Protection

On the second case, Gonzalez faces as many as 35 years in prison.In that case Gonzalez and the other hackers malware and so-called “injection strings” to attack the computers and steal data. They installed “sniffer” programs to capture data “on a real-time basis” as it moved through the computer networks. They used instant messaging services to advise each other on how to navigate the systems. They also programmed malware to evade detection by anti-virus software and erase files that might detect its presence.

Justice Department Charges 11 in ID Theft Scheme

The US Department of Justice filed charges against 11 individuals in what is believed to be one of the largest Identity Theft cases ever prosecuted in the United States. (US DoJ Press Release) The crimes involve the theft and sale of over 40 million credit card and debit card numbers from 9 major retailers and other smaller outlets between 2003 and 2008.

Three are U.S. citizens, five are from eastern Europe (Estonia, Belarus, and the Ukraine), and two from China. The final member of the ring is known only by an alias, Delpiero, and their country of origin is unknown.

Of the three U.S. citizens — Albert “Segvec” Gonzalez, Christopher Scott, and Damon Patrick Toey, all from Miami — Gonzalez faces a possible life sentence in prison due to an earlier arrest in 2003 on similar charges. Gonzalez has been in held in a New York prison since May 2008 on related charges.  Another member of the ring has been held in Turkey since June 2007.

Three Seperate Cases Combine

The case began as three seperate investigations in California, New York, and Massachusetts, but eventually it was coordinated once it became apparent that the same people were involved in all three cases.

The current indictment alleges the thieves hacked wireless retail networks of TJX Companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, and DSW, among others.  Once in, they would install software to capture account information and passwords.  All told they gained access to over 40 million credit and debit card numbers from 2003 to 2008.  They stored the information in servers in the US and Europe, and sold some account information to other criminals.

Lax Security Measures

Investigators from the FTC have charged many retailers for lax security measures for protecting consumer information.  BJ’s Wholesale Club settled charges in 2005 that it failed to take appropiate measures to protect customer account information.

Shoe discounter, DSW, also settled similar charges in 2005 after a reported security breach in 2004.

The T.J. Maxx and Marshalls stores reported their data theft of over 45 million credit and debit card numbers in January 2007.

The retailer, which offers designer-label clothes and home goods at discounted prices, in March settled a complaint with the Federal Trade Commission. Under the agreement, TJX must start an information-security program and undergo an external audit every other year for 20 years.

TJX also settled related claims by Visa Inc. and MasterCard Inc. In April. The retailer agreed to pay as much as $24 million to cover costs incurred by banks that issue MasterCards.

“We have worked very closely with law enforcement authorities as they conducted an extensive international investigation into this complex crime,” TJX spokeswoman Sherry Lang said in an e-mailed statement. “The sheer number of retailers attacked by these cyber-criminals demonstrates the much broader challenges in protecting sensitive consumer data from this increasing threat.”

Bloomberg.com