Feds Throw Book at 11 Customer Data Theft Suspects

The Department of Justice has charged 11 people with the theft of millions of account numbers from a long list of U.S. big box retailers including TJ Maxx, OfficeMax, Barnes & Noble, Boston Market, BJ's Wholesale Club, Forever 21, DSW, Dave & Buster's and Sports Authority.

Albert "Segvec" Gonzalez was the ringleader, according to the indictments, which were unsealed in San Diego and Boston. He is being held in New York on charges of computer fraud, wire fraud, access-device fraud, aggravated identity theft and conspiracy -- a roll call of crimes that could net him life in prison if he's convicted.

Others named in the indictment include three Americans, three Ukrainians, two Chinese nationals and two Eastern Europeans from Belarus and Estonia.

The account information was sold to other criminals who were able to cash out tens of millions of dollars, according to the indictments. Banks in Eastern Europe allegedly laundered the money.

The activities attributed to this group are at the center of the largest and most complex identity theft case ever built in the U.S., according to the prosecutors.

"If nothing else, this shows that data breaches and identity theft have become global crimes," Matt Cullina, CEO of Identity Theft 911, told CRM Buyer.

The sheer scale of this case, he said, will hopefully serve as a wake-up call to retailers that have not implemented necessary security precautions.

"There are too many retailers out there that are simply unprepared for this kind of crime, both in preventing it and then in how to notify customers," he remarked.

Low-Tech Access

The breathtaking scale of the hack attack belies the low-tech means by which the identity thieves were able to acquire the information. Essentially, they hacked into unsecured or minimally secured WiFi networks from the retail stores' parking lots -- a threat risk that was well known back in 2001. In one case, they were able to access the retailers' corporate database from a local wireless connection.

This crime wave -- and its subsequent public unveiling -- have left the retailers red-faced and, in the case of TJX, much poorer. The company has already agreed to pay more than US$60 million to credit card networks to settle complaints -- one of the largest settlements on record. Its IT operations will also be audited every two years for the next 20 years.

All told, the store will spend more than $150 million in costs related to the breach, said Phil Neray, VP at Guardium.

The attackers took advantage of some sophisticated technologies, he told CRM Buyer. Sniffer programs were installed on point-of-sale devices in many of the stores, for example. One hacker was able to access data in TJX's main data center in Framingham, Neray noted, through a wireless access point in Miami. Even that could have been prevented, though, if the retailer had properly segmented its network and installed monitoring technology in the data center.

One potential plus from this event, Neray suggested, is that the industry's understanding of what constitutes reasonable and appropriate security is likely to broaden.

Right now, retailers' security is abysmal, Michael Maloof of TriGeo Network Security told CRM Buyer. "Wireless systems can be easily secured -- if only by walking through a store's parking lot with a laptop to make sure you are not transmitting."

Customer data theft may be even more rampant than this particular case indicates. "Many stores don't know they have been hacked until complaints are made," Maloof commented.

The level of attacks is probably far higher than retailers or consumers want to acknowledge, echoed Jay Valentine, vice president of TDI.

"Companies are getting hacked internally -- particularly retailers -- every day," he told CRM Buyer. "The dirty little secret is that IT security people know it but are powerless to stop it, so they do nothing."

Consumer Issue

The charges no doubt will revive the debate over when -- and in how much detail -- a retailer should inform customers that their accounts might have been compromised.

"What we are seeing are cases in which disclosure by the retailer happens only after a period of weeks or months," Paul Davie, COO and cofounder of database security provider Secerno, told CRM Buyer.

"Ethically, these retailers need to let customers know if their data has been compromised as quickly as possible, so they can change credit cards and track for fraudulent charges."