US Government charges 11 in massive credit card fraud case
The US government has charged 11 people with stealing tens of millions of credit and debit card details as part of an operation that targeted numerous retailers, including those of TJX, parent company of the UK's TK Maxx chain. In March 2007 TJX admitted that 45.7 million customers' card details had been compromised, the largest such theft to date.
The US Attorney in Boston charged three people from the US, three from the Ukraine, two from China, one from Estonia and one from Belarus. The ring was headed by Miami resident Albert Gonzalez, currently being held by New York authorities on another charge of computer crime. Gonzalez was charged with computer fraud, wire fraud, access-device fraud, aggravated identity theft and conspiracy, and authorities say that, if convicted, he faces life in prison.
Retailers targeted by the ring included BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW Inc. Authorities said the data was stolen from retailers' computer networks, in the case of TJX using compromised wireless connections, and the captured card numbers were stored on servers in the US and Eastern Europe. The numbers were allegedly sold to people in the US and Europe who used them to withdraw large amounts of cash from teller machines.
Michael Sullivan, US Attorney in Boston, said in a statement "This case clearly shows how strokes on a keyboard with a criminal purpose can have costly results," – "Consumers, companies and governments from around the world must further develop ways to protect our sensitive personal and business information."
The TJX theft affected customers of the UK's TK Maxx chain, but the breach was disclosed only because of US laws requiring disclosure in such cases, a situation that has touched off a debate about disclosure laws in Europe.
Last month Cotton Traders confirmed that on-line attackers had stolen thousands of credit card details from its web site. The details had been accessed in January, but the breach was not disclosed at the time due to the lack of regulations requiring the company to do so.