US authorities have charged 11 people from five countries with stealing tens of millions of credit and debit card numbers from major retailers, including TJX, in one of the largest identity-theft schemes on record.
The US attorney in Boston said the ring also stole 41 million credit and debit card numbers from retailers BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.
TJX, which owns the TK Maxx chain in the UK, was the hardest hit - acknowledging last year that data from 45.7 million credit cards was stolen from its computers, with as many as 94 million compromised in total.
The scheme originated with a Miami man - a one-time government informant - who drove around Miami with a laptop computer looking to hack into wireless networks, authorities said. It ended with consumers, retailers and banks losing tens of millions through fraudulent transactions.
Three people from the US, three from the Ukraine, two from China, one from Estonia and one from Belarus were all charged. An 11th defendant was not identified.
"Computer crimes are not confined within national borders," US Attorney General Michael Mukasey told reporters. "Criminals can now operate from almost anywhere on the global to steal personal information from almost anywhere on the globe."
The ring, which authorities said was headed by Albert Gonzalez, hacked into retailers' computer networks to steal the data, which was stored on computer servers in the US and Eastern Europe.
The ring sold the numbers to people in the US and Europe for thousands of dollars. The buyers then withdrew tens of thousands of dollars at a time from automated teller machines, officials said.
Authorities did not know the total amount of money stolen, but Michael Sullivan, the US attorney in Boston, said it was in the "tens of millions of dollars."
Gonzalez, being held by New York authorities on another computer hacking charge, was charged with computer fraud, wire fraud, access-device fraud, aggravated identity theft and conspiracy.
Gonzalez was working as an informant in a separate US Secret Service hacking investigation when authorities learned he was using information from their probe to help fellow hackers avoid arrest, authorities said.
"Obviously we weren't happy that someone we had working for us as an informant was double-dealing," said Michael Sullivan, director of the US Secret Service.
Gonzalez faces life in prison if convicted on all charges.
TJX agreed since disclosing the breach to pay more than $60 million (30 million) to credit card networks Visa and MasterCard to settle complaints related to the theft - one of the largest on record based on the number of accounts involved.
"The sheer number of retailers attacked by these cyber criminals demonstrates the much broader challenges in protecting sensitive consumer data from this increasing threat," said Sherry Lang, senior vice president at TJX.
The vulnerability that Gonzalez exploited has been around "as long as we have had Wi-Fi" wireless networks," said Ted Julian, vice president of strategy and marketing at Application Security, a maker of database security software.
With multiplying entry points into corporate networks via wireless store networks, cash registers and even in-store computer kiosks for job applicants, hackers have more weak spots to exploit.
Corporations may need to protect specific internal databases that contain sensitive consumer data, Julian said.
"Rather than locking every single door, let's get all the safes," Julian said. "Not that we don't want to lock the doors, but if that worked, then we wouldn't be in this mess."
-
Google faces 'first of its kind' class action for search ads overcharging in UKNews Google faces a "first of its kind" £5 billion lawsuit in the UK over accusations it has a monopoly in digital advertising that allows it to overcharge customers.
-
Neural interfaces promise to make all tech accessible – it’s not that simpleColumn Better consideration of ethics and practical implementation are needed if disabled people are to benefit from neural interfaces
-
ID cards decommissionedNews Although few got on board with the scheme, any existing UK ID cards are now useless for proof of identity when travelling.
-
Brown: ID cards needed to tackle immigrationNews In the second leaders' debate last night, prime minister Gordon Brown stuck to his guns when it came to ID cards and biometric passports.
-
Clegg calls for ID cards to be scrapped in first TV debateNews UK politics took a step forward last night with its first television debate and digital Britain wasn't far from one of the prospective prime minister's lips.
-
Government wants business ideas for ID cardsNews The government's created the infrastructure, now it's time for the public and private sector to come up with applications, according to minister Meg Hillier.
-
The worst IT disasters of 2009In-depth There were a lot of high points in tech this year, but some pretty big screw ups, too. Here are our top 10 IT failures of the year.
-
Foreign nationals ID cards expeditedNews Workers with a UK job-offer to get ID cards early, the government has confirmed.
-
Government appoints first ID commissionerNews Former Home Office employee Sir Joseph Pilling will be the independent watchdog for the ID card scheme.
-
Week in Numbers: Stamping out spam?News Research reveals that many viruses leave PCs within 24 hours, and Opera releases its third beta for its Opera 10 browser.
