Federal prosecutors have charged 11 people with stealing more than 41 million credit and debit card numbers, cracking what officials say appears to be the largest hacking and identity theft ring ever exposed, The New York Times reported.
The thieves focused on major national retail chains like OfficeMax, Barnes & Noble, BJ’s Wholesale Club, the Sports Authority and T. J. Maxx — the discount clothes retailer that first suggested the existence of the ring early last year, when it said its systems had been breached by hackers.
The New York Times report continued:
Underscoring the multinational, collaborative aspect of organized crime today, three of the defendants are United States citizens, one is from Estonia, three are from Ukraine, two are from China and one is from Belarus. The name and whereabouts of the final defendant are unknown.
Federal officials said a principal organizer of the ring was Albert Gonzalez, a man from Miami who was indicted on Tuesday by a federal grand jury in Boston on charges of computer fraud, wire fraud, aggravated identity theft, conspiracy and other charges. If convicted on all counts, Mr. Gonzalez would face life in prison.
Mr. Gonzalez and several in his cohort drove around and scanned the wireless networks of retailers to find security holes — known as “war driving,” according to prosecutors. Once the thieves identified technical weaknesses in the networks, they installed so-called sniffer programs, obtained from collaborators overseas.
Those programs tapped into the retailers’ networks for processing credit cards and intercepted customers’ PINs and debit and credit numbers that were stored there. The thieves then spirited that information away to computers in the United States, Latvia and Ukraine.
Officials say the conspirators sold credit card numbers online and imprinted other stolen numbers on the magnetic stripes of blank cards so that they could withdraw thousands of dollars from ATMs.
To sell card numbers on the black market, the group turned to Maksym Yastremskiy of Ukraine and Aleksandr Suvorov of Estonia, who were also charged, according to prosecutors.
Mr. Yastremskiy, thought to be a major figure in the international sale of stolen credit card information, was apprehended in July 2007 on vacation in Turkey and is in prison awaiting trial on charges including credit card theft. The United States has asked Turkey to extradite him.
The indictments shed more light on the breach into the stores of TJX, the owner of T. J. Maxx. In 2005, Christopher Scott, another man who was charged, compromised wireless access points at a Marshalls in Miami and used them to download payment information from computers at TJX headquarters in Framingham, Mass., prosecutors said.
The following year, prosecutors said, the conspirators established a virtual private network connection into TJX’s payment processing server and successfully uploaded a sniffer program.
In public financial filings, TJX said it had spent around $130 million on matters related to the break-in, including legal settlements, and it expected to spend an additional $23 million in the 2009 fiscal year.
Federal officials did not have an overall tally for the amount of money stolen by the ring, but they offered some glimpses into its profitability. In the indictment against Mr. Gonzalez, federal officials asked that he be forced to forfeit more than $1.6 million, among other assets.
