Federal prosecutors are gearing up for what they believe will be the biggest identity theft prosecution in U.S. history, after investigators broke up a major hacking ring allegedly responsible for stealing and selling more than 40 million credit and debit card numbers.
"As far as we know, this is the single largest and most complex identity theft case that's ever been charged in this country," Attorney General Michael Mukasey said today at a news conference in Boston.
Eleven suspects will face charges that include conspiracy, fraud and identity theft as part of the alleged scheme.
A federal grand jury handed down an indictment for Albert "Segvec" Gonzalez and prosecutors charged Christopher Scott and Damon Patrick Toey for allegedly hacking into wireless computer networks of several major corporations, including OfficeMax, Barnes & Noble, Boston Market, Sports Authority, Forever 21, DSW, BJ's Wholesale Club and TJX Companies, which operates retail stores T.J. Maxx and Marshall's. All three of the men reside in Miami.
Officials said that the companies involved cooperated with the investigation and made efforts to assist consumers who might have been affected by the breach. They encouraged anyone who believes their information might have been compromised to contact their individual financial institutions.
"They used sophisticated computer hacking techniques that would allow them to breach security systems and then install computer programs that gathered enormous quantities of personal financial data, which they then allegedly either sold to others or used themselves," Mukasey said. "They caused widespread losses by banks, retailers and customers."
Michael Sullivan, the U.S. attorney in Massachusetts, said, "It's alleged that in the course of their sophisticated conspiracy, Gonzalez and his co-conspirators obtained credit and debit card information by war driving. War driving is simply driving around in a car with a laptop computer, looking for accessible wireless computer networks."
Prosecutors claim that once the suspects gained access to the networks, they installed "sniffer" programs, which collect account numbers and information, such as passwords. The suspects then allegedly stored the data in encrypted servers located in Eastern Europe, and sold some of the account information online to clients both there and in the United States.
"Some of the data that the conspirators did not sell, they cashed out by encoding card numbers on magnetic strips of blank cards, which they then used to withdraw tens of thousands of dollars at a time from ATM machines," Sullivan said.
The prosecutor added that Gonzalez and his alleged co-conspirators concealed and laundered the profits from the fraud scheme online and by funneling money through banks in Eastern Europe.
Gonzalez's lawyer, Rene Palomino, said Gonzales would plead not guilty to the latest charges.
"This indictment represents a substantial factual and legal challenge to the government, and we look forward to a vigorous defense," Palomino said.
In San Diego, a federal court unsealed indictments against the remaining eight suspected hackers.
Ukrainian citizen Maksym "Maksik" Yastremskiy and Aleksandr "Jonny Hell" Suvorov of Estonia are under indictment for identity theft and conspiracy charges stemming from the alleged sale of the stolen credit card data.