[Infowarrior] - 41 million credit/debit card numbers compromised

[Richard Forno]

11 charged in connection with credit card fraud

By ANNE D'INNOCENZIO – 16 hours ago

http://ap.google.com/article/ALeqM5iL9Fn3VNKRc00RHOLhI-cC-qEVwwD92CBBI80

NEW YORK (AP) — The Department of Justice announced Tuesday that it  
had charged 11 people in connection with the hacking of nine major  
U.S. retailers and the theft and sale of more than 41 million credit  
and debit card numbers.

It is believed to be the largest hacking and identity theft case ever  
prosecuted by the Department of Justice. The charges include  
conspiracy, computer intrusion, fraud and identity theft.

The indictment returned Tuesday by a federal grand jury in Boston  
alleges that the people charged hacked into the wireless computer  
networks of retailers including TJX Cos., BJ's Wholesale Club,  
OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21  
and DSW.

"While technology has made our lives much easier it has also created  
new vulnerabilities," U.S. Attorney Michael J. Sullivan said in a  
statement. "This case clearly shows how strokes on a keyboard with a  
criminal purpose can have costly results."

The indictment alleges that the hackers installed programs to capture  
card numbers, passwords and account information, and then concealed  
the data in computer servers that they controlled in the U.S. and  
Eastern Europe.

"They used sophisticated computer hacking techniques, that would allow  
them to breach security systems and install programs that gathered  
enormous quantities of personal financial data, which they then  
allegedly either sold to others or used themselves," said Attorney  
General Michael Mukasey in a press conference. "And in total, they  
caused widespread loses by banks, retailers, and consumers."

Mukasey said the total dollar amount of the alleged theft is  
"impossible to quantify at this point." Sullivan said officials still  
haven't identified all the victims who had a credit or debit card  
number stolen.

"I suspect that a lot of people are unaware that their identifying  
information has been compromised," he said.

Sullivan said the alleged thieves weren't computer geniuses, just  
opportunists who used a technique called "wardriving," which involved  
cruising through different areas with a laptop computer and looking  
for accessible wireless Internet signals. Once they located a  
vulnerable network, they installed so-called "sniffer programs" that  
captured credit and debit card numbers as they moved through a  
retailer's processing networks.

The information was stored on two servers in Ukraine and Latvia — one  
with more than 25 million credit and debit card numbers and another  
with more than 16 million numbers, Sullivan said.

The heist was a black eye for retailers like TJX. The company, which  
initially disclosed the data breach in January 2007, said a few months  
later that at least 45.7 million cards were exposed to possible fraud  
in a breach of its computer systems that began in July 2005. Court  
filings by some banks that sued TJX put the number of cards affected  
at more than 100 million, based on estimates by officials with Visa  
and MasterCard, who were deposed in the suit.

In May, TJX said it won support from Mastercard-issuing banks for a  
settlement that will pay them as much as $24 million to cover costs  
from the data breach. A similar agreement reached last November with  
Visa-card issuing banks also was overwhelmingly approved. That  
agreement set aside as much as $40.9 million to help banks cover costs  
including replacing customers payment cards and covering fraudulent  
charges.

Under the indictments unsealed Tuesday, three of the defendants are  
U.S. citizens, one is from Estonia, three are from Ukraine, two are  
from China and one is from Belarus. One individual is only known by an  
alias online, and his place of origin is unknown.

In the Boston indictment, Albert "Segvec" Gonzalez of Miami, who is  
accused of leading the scheme, was charged with computer fraud, wire  
fraud, access device fraud, aggravated identity theft and conspiracy.  
Gonzalez, who is in custody in New York, faces a maximum penalty of  
life in prison if he is convicted of all the charges.

Indictments were unsealed Tuesday in San Diego against Maksym "Maksik"  
Yastremskiy of Kharkov, Ukraine, and Aleksandr "Jonny Hell" Suvorov of  
Sillamae, Estonia. The indictments charge them with crimes related to  
the sale of the stolen credit card data.

Furthermore, indictments against Hung-Ming Chiu and Zhi Zhi Wang, both  
of China, and a person known only by the online nickname "Delpiero"  
were also unsealed in San Diego.

Officials did not say whether any other suspects were in custody, or  
give an arraignment date for Gonzalez.

Associated Press writer Rodrique Ngowi contributed to this story from  
Boston.