Federal prosecutors are gearing up for what they believe will be the biggest identity theft prosecution in U.S. history, after investigators broke up a major hacking ring allegedly responsible for stealing and selling more than 40 million credit and debit card numbers.
"As far as we know, this is the single largest and most complex identity theft case that's ever been charged in this country," Attorney General Michael Mukasey said today at a news conference in Boston.
Eleven suspects will face charges that include conspiracy, fraud and identity theft as part of the alleged scheme.
A federal grand jury handed down an indictment for Albert "Segvec" Gonzalez and prosecutors charged Christopher Scott and Damon Patrick Toey for allegedly hacking into wireless computer networks of several major corporations, including OfficeMax, Barnes & Noble, Boston Market, Sports Authority, Forever 21, DSW, BJ's Wholesale Club and TJX Companies, which operates retail stores T.J. Maxx and Marshall's. All three of the men reside in Miami.
Officials said that the companies involved cooperated with the investigation and made efforts to assist consumers who might have been affected by the breach. They encouraged anyone who believes their information might have been compromised to contact their individual financial institutions.
"They used sophisticated computer hacking techniques that would allow them to breach security systems and then install computer programs that gathered enormous quantities of personal financial data, which they then allegedly either sold to others or used themselves," Mukasey said. "They caused widespread losses by banks, retailers and customers."
Michael Sullivan, the U.S. attorney in Massachusetts, said, "It's alleged that in the course of their sophisticated conspiracy, Gonzalez and his co-conspirators obtained credit and debit card information by war driving. War driving is simply driving around in a car with a laptop computer, looking for accessible wireless computer networks."
Prosecutors claim that once the suspects gained access to the networks, they installed "sniffer" programs, which collect account numbers and information, such as passwords. The suspects then allegedly stored the data in encrypted servers located in Eastern Europe, and sold some of the account information online to clients both there and in the United States.
"Some of the data that the conspirators did not sell, they cashed out by encoding card numbers on magnetic strips of blank cards, which they then used to withdraw tens of thousands of dollars at a time from ATM machines," Sullivan said.
The prosecutor added that Gonzalez and his alleged co-conspirators concealed and laundered the profits from the fraud scheme online and by funneling money through banks in Eastern Europe.
Gonzalez's lawyer, Rene Palomino, said Gonzales would plead not guilty to the latest charges.
"This indictment represents a substantial factual and legal challenge to the government, and we look forward to a vigorous defense," Palomino said.
In San Diego, a federal court unsealed indictments against the remaining eight suspected hackers.
Ukrainian citizen Maksym "Maksik" Yastremskiy and Aleksandr "Jonny Hell" Suvorov of Estonia are under indictment for identity theft and conspiracy charges stemming from the alleged sale of the stolen credit card data.
Two Chinese citizens, Hung-Ming Chiu and Zhi Zhi Wang, Belarusian citizen Sergey Pavolvich, Ukrainians Dzmitry Burak and Sergey Storchak, as well as an individual known only by the online alias "Delpiero" are also facing related federal charges in San Diego.
The group of foreign nationals allegedly ran a global distribution operation for stolen credit and debit cards through locations in Eastern Europe and Asia, which netted them millions of dollars in personal profit.
Mark Sullivan, the director of the U.S. Secret Service, said the inquiry started in the San Diego federal prosecutor's office, but that investigators later made connections between similar cases in other parts of the country.
"But it was three investigations going on in three U.S. attorneys offices that were eventually coordinated, and it was realized it was one ring of people who were involved in this," he said.
TJX released a statement from senior vice president Sherry Lang, who noted the company's efforts to help the investigation and thanked the law enforcement agencies involved.
"With our customers always being our primary focus, TJX has gone to great lengths to secure its customers' data," Lang said. "However, broader action beyond retailers alone is required to protect consumer data. Banks and the U.S. payment card industry must join retailers and work together, including installing the proven card security measures in the U.S. that are already in use throughout much of the rest of the world."
Mukasey noted the toll identity theft takes on victims who have to rebuild their credit, as well as the threat to national security posed by global Internet schemes. "With the worldwide reach of the Internet, criminals can now operate from almost anywhere on the globe to steal personal information from … almost anywhere on the globe, in particular from our citizens," he said.
"And when they do, there are international online marketplaces where they can peddle that stolen information."
Secret Service agents initially arrested Gonzalez in 2003. While he was working as an informant, investigators alleged he was criminally involved in the case.
"Obviously, we weren't happy that the person we had working for us as an informant was double dealing," U.S. Attorney Michael Sullivan said.
He added that Gonzalez, despite his earlier role, was "not helpful" in the subsequent investigation.
Additionally, in May 2008, a federal court in New York unsealed a grand jury indictment against Gonzalez, as well as Suvorov and Yastremskiy, for an alleged scheme to hack into restaurant chain Dave & Buster's computer networks to steal account information. Gonzalez pleaded not guilty to the charges last month but court records indicate his co-defendants have yet to enter pleas. Attorneys for Suvorov and Yastremskiy could not immediately be located.
The three suspects are all in custody; Gonzalez is in federal custody while Suvorov and Yastremskiy await extradition from Germany and Turkey, respectively. Local authorities apprehended both men while they were on vacation.
Gonzalez could face a maximum sentence of life in prison if convicted of the charges filed against him in Boston.
The investigation involved numerous federal law enforcement agencies, including the multiple branches of the Justice Department, the Internal Revenue Service and the U.S. Secret Service.