It is already being called the single largest and most complex hacking and identity theft that has ever been prosecuted.
The US Department of Justice announced today that they have charged 11 men, for their alleged involvement in a heist that hacked into nine companies and stole more than 40 million credit and debit card numbers.
The men charged are alleged to have broken into the wireless networks of major retailers including OfficeMax, Barnes & Noble, Boston Market, Sports Authority, Forever 21, DSW, BJ’s Wholesale Club and TJX, which operates retail stores T.J. Maxx (known as TK Maxx in the UK) and Marshall’s.
The 11 men, who are said to hail from the USA, Estonia, Ukraine and China, are charged with numerous crimes – including conspiracy, computer intrusion, fraud and identity theft. According to the Secret Service and Department of Justice, the “wardriving” gang sought out insecure wireless corporate networks to hack into, and installed malicious programs that stole credit card numbers and customer data.
Reports emerged last year that the TJX data breach, for instance, occurred because of weak WEP encryption in use at two of its Marshalls stores in Miami.
The stolen personal information is said to have then been sold to other criminals in the USA and Eastern Europe, with tens of thousands of dollars illegally withdrawn from ATMs using forged credit cards.
The fact is that major retailers were left not just with egg on their face, but a serious emergency when they discovered that the personal and financial details of their customers had been stolen from under their noses by computer criminals.
Hopefully the companies concerned have done a serious post mortem on what went wrong, and examined whether proper secure encryption was in place at every point of the data delivery chain, or whether there were some weak links that the hackers exploited.
The US authorities deserve our congratulations for investigating these serious crimes, and businesses and shoppers alike will be following the case with interest to see what further details emerge. One thing is clear – more companies need to learn the lessons of these serious security breaches, and make sure that they are not risking being the next big firm to put its customers’ data in jeopardy.
When the loss of credit card data came to light, TJX published information on its website for affected customers.
The charged men, one of whom is only known by an internet handle, have been named as:
-
Albert Gonzalez (also known as “Sevgec”), of Miami, USA.
Christopher Scott, of Miami, USA.
Damon Patrick Toey, of Miami, USA.
Maksym Yastremskiy (also known as “Maksik”), of Kharkov, Ukraine.
Aleksandr Suvorov (also known as “Jonny Hell”), of Sillamae, Estonia.
Sergey Pavolvich, of Belarus.
Dzmitry Burak, of Ukraine.
Sergey Storchak, of Ukraine
Hung-Ming Chiu, of China.
Zhi Zhi Wang, of China.
“Delpiero” (internet nickname).
If found guilty of all charges laid against him, Albert Gonzalez – who is being described as the ringleader of the gang – could receive a maximum sentence of life imprisonment. Fascinatingly, it is reported that Gonzalez was actually working for the US Secret Service as a “confidential informant” when they became aware of his involvement in this case.
Alleged Estonian hacker Aleksandr Suvorov, who went by the online handle “Jonny Hell”, was arrested by the American Secret Service in Germany in March.
If anyone was in any doubt as to the scale of the identity theft problem, and the fortunes that can be stolen from companies by a hardcore gang of hackers then they should check out the background to this case.
Found this article interesting? Follow Graham Cluley on Twitter, Mastodon, or Threads to read more of the exclusive content we post.
