Busted! Wardriving gang suspected of TJ Maxx data breach charged

The gang are said to have used laptops to discover and break into poorly protected wireless networks belonging to businesses

It is already being called the single largest and most complex hacking and identity theft that has ever been prosecuted.

The US Department of Justice announced today that they have charged 11 men, for their alleged involvement in a heist that hacked into nine companies and stole more than 40 million credit and debit card numbers.

The men charged are alleged to have broken into the wireless networks of major retailers including OfficeMax, Barnes & Noble, Boston Market, Sports Authority, Forever 21, DSW, BJ’s Wholesale Club and TJX, which operates retail stores T.J. Maxx (known as TK Maxx in the UK) and Marshall’s.

Sign up to our free newsletter.
Security news, advice, and tips.

The 11 men, who are said to hail from the USA, Estonia, Ukraine and China, are charged with numerous crimes – including conspiracy, computer intrusion, fraud and identity theft. According to the Secret Service and Department of Justice, the “wardriving” gang sought out insecure wireless corporate networks to hack into, and installed malicious programs that stole credit card numbers and customer data.

Reports emerged last year that the TJX data breach, for instance, occurred because of weak WEP encryption in use at two of its Marshalls stores in Miami.

The stolen personal information is said to have then been sold to other criminals in the USA and Eastern Europe, with tens of thousands of dollars illegally withdrawn from ATMs using forged credit cards.

The fact is that major retailers were left not just with egg on their face, but a serious emergency when they discovered that the personal and financial details of their customers had been stolen from under their noses by computer criminals.

Hopefully the companies concerned have done a serious post mortem on what went wrong, and examined whether proper secure encryption was in place at every point of the data delivery chain, or whether there were some weak links that the hackers exploited.

The US authorities deserve our congratulations for investigating these serious crimes, and businesses and shoppers alike will be following the case with interest to see what further details emerge. One thing is clear – more companies need to learn the lessons of these serious security breaches, and make sure that they are not risking being the next big firm to put its customers’ data in jeopardy.

Statement on TJX website
When the loss of credit card data came to light, TJX published information on its website for affected customers.

The charged men, one of whom is only known by an internet handle, have been named as:

    Albert Gonzalez (also known as “Sevgec”), of Miami, USA.
    Christopher Scott, of Miami, USA.
    Damon Patrick Toey, of Miami, USA.
    Maksym Yastremskiy (also known as “Maksik”), of Kharkov, Ukraine.
    Aleksandr Suvorov (also known as “Jonny Hell”), of Sillamae, Estonia.
    Sergey Pavolvich, of Belarus.
    Dzmitry Burak, of Ukraine.
    Sergey Storchak, of Ukraine
    Hung-Ming Chiu, of China.
    Zhi Zhi Wang, of China.
    “Delpiero” (internet nickname).

If found guilty of all charges laid against him, Albert Gonzalez – who is being described as the ringleader of the gang – could receive a maximum sentence of life imprisonment. Fascinatingly, it is reported that Gonzalez was actually working for the US Secret Service as a “confidential informant” when they became aware of his involvement in this case.

Alleged Estonian hacker Aleksandr Suvorov, who went by the online handle “Jonny Hell”, was arrested by the American Secret Service in Germany in March.

If anyone was in any doubt as to the scale of the identity theft problem, and the fortunes that can be stolen from companies by a hardcore gang of hackers then they should check out the background to this case.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.