The Justice Department charged 11 people with stealing more than 40 million credit- and debit-card numbers from nine retailers including T.J. Maxx, calling it the largest U.S. identity theft prosecution.
The defendants tapped the computer networks of TJX Cos.' Marshalls, BJ's Wholesale Club Inc., Barnes & Noble Inc. bookstores, Sports Authority, Boston Market Corp., OfficeMax Inc., Dave & Buster's restaurants, DSW Inc. shoe stores and Forever 21, the government said Tuesday.
“This is the single largest and most complex identity theft case that has ever been charged in this country,” Attorney General Michael Mukasey said at news conference in Boston. The indictment “highlights our increasing vulnerability to the theft of personal information.”
The cost of the identity theft scheme to citizens may total billions of dollars, Mukasey said. Some people may not learn they've been victims “for months or years,” he added.
Indictments by federal grand juries in Boston and San Diego charged three U.S. residents and defendants from other countries, including Estonia, Ukraine and China, with identity theft, fraud and conspiracy, the Justice Department said.
They allegedly hacked into retailers' data systems by driving around the stores with a laptop, kept the information in personal computers in the U.S. and eastern Europe and converted some of it into ready-to-use bank cards, according to federal prosecutors.
The defendants installed “sniffer” software in the retailers' computer systems to capture credit and debit-card numbers along with passwords and account information, Mukasey said. Some of them encoded credit-card numbers on blank automated-teller cards to withdraw tens of thousands of dollars at a time from ATM machines, the government said.
Some of the same defendants were indicted in Brooklyn, New York, federal court in May, the government said.
The case began as three separate investigations of identity theft in southern California, New York and Boston. The probes were “eventually coordinated” after investigators “realized that one ring of people were involved,” Mukasey said.
TJX, the Framingham, Mass.-based owner of the T.J. Maxx and Marshalls discount chains, said in January 2007 that hackers had broken into its computer system and stolen about 45.7 million credit- and debit-card numbers.
Settled earlier complaint
The retailer, which offers designer-label clothes and home goods at discounted prices, in March settled a complaint with the Federal Trade Commission. Under the agreement, TJX must start an information-security program and undergo an external audit every other year for 20 years.
TJX also settled related claims by Visa Inc. and MasterCard Inc. in April. The retailer agreed to pay as much as $24 million to cover costs incurred by banks that issue MasterCards.
“We have worked very closely with law enforcement authorities as they conducted an extensive international investigation into this complex crime,” TJX spokeswoman Sherry Lang said in an e-mailed statement. “The sheer number of retailers attacked by these cyber-criminals demonstrates the much broader challenges in protecting sensitive consumer data from this increasing threat.”
In 2005, BJ's Wholesale Club and DSW Inc., the shoe discounter, also settled Federal Trade Commission allegations that they failed to protect customer credit card information.
‘An old breach'
DSW is cooperating with the U.S. probe, DSW General Counsel Bill Jordan said in an e-mailed statement. The FTC alleged that both companies failed to use “readily available security measures” to prevent hackers from stealing data off their wireless networks used to verify consumers' information.
“This is an old breach. It's from 2004, so we are pleased that progress is being made on this,” BJ's spokeswoman Julie Somers said.
The company's system now meets all credit card industry standards for protection of customer data, she said.