Federal authorities said Tuesday that they had cracked the largest case of identity theft in U.S. history, charging 11 people in the theft of more than 40 million credit and debit card account numbers from computer systems at such major retailers as TJ Maxx and Barnes & Noble.
The three-year investigation by federal agencies and overseas allies brought home the global nature of the Internet's underground economy as agents tracked leads from China to Ukraine and picked up suspects in Turkey and Germany as well as the U.S.
The full scope of the damage may never be learned, but the Justice Department said the fraud reached at least into the tens of millions of dollars. Many potential victims have yet to be contacted.
"So far as we know, this is the single largest and most complex identity theft case ever charged in this country," U.S. Atty. Gen. Michael B. Mukasey said at a news conference in Boston, where he announced indictments handed up by grand juries there and in San Diego.
Mukasey also thanked other countries for cooperating and helping to coordinate arrests.
To the chagrin of the U.S. Secret Service, which handles many electronic fraud investigations, the trail led back to one of its own informants, Albert Gonzalez of Miami. Justice Department officials said Gonzalez served as the ringleader and double-crossed the agency by tipping off his cohorts. Prosecutors said Gonzalez could face a life term in prison.
TJ Maxx has become the latest high-profile target in the identity theft epidemic, an evolving type of fraud estimated to affect 15 million U.S. residents a year at a cost of $50 billion.
"Credit cards are constantly being stolen in different ways," said Lance James, chief technology officer at the identity theft tracking firm Secure Science Corp. "There will be more surprises to come."
Besides TJ Maxx and Barnes & Noble, other retailers that lost data to the hackers were Sports Authority, BJ's Wholesale Club, OfficeMax, Boston Market, Forever 21, DSW and TJ Maxx's sister company, Marshalls.
TJX Cos., which owns TJ Maxx and Marshalls, discovered the security breach in its system in late 2006 and announced it early the next year. Likewise, shoe retailer DSW discovered the breach in 2005, contacted federal law enforcement officials and posted a customer alert on its website. It contacted credit card companies and hired a computer security firm to investigate the breach, spokeswoman Debbie Mitchell said.
But some other companies weren't aware that hackers had broken into their databases until Tuesday and, therefore, hadn't notified customers about possible identity losses -- as may be required under the laws of California and some other states.
Barnes & Noble "had not received inquiries from credit card companies or customers about these alleged activities," company spokeswoman Mary Ellen Keating said.
Angela Proctor, spokeswoman for restaurant chain Boston Market, said her company had detected a "potential data compromise" at one location in Florida in late 2004. But an outside audit couldn't confirm that any data had been compromised, she said, so no notifications were issued.
She said the company was still unsure whether customers' data had been stolen, though the indictments stated that Gonzalez and six others had access there.
Secretary of Homeland Security Michael Chertoff, who was in Silicon Valley to discuss Internet security Tuesday, said that the government would leave it to the companies to warn customers. He said the government lacked the authority to notify consumers.
The break in the case began when a handful of people were arrested in Florida last year, not long after TJ Maxx revealed that it had been hacked. They were caught trying to buy goods at Wal-Mart by using fake credit cards that had been encoded with the account numbers and other data lifted from TJ Maxx.
Some began cooperating, and the trail led to such members-only websites as DumpsMarket.net, as well as to Internet chats and Web transactions in the millions of dollars.
Two Chinese nationals -- who are among several accused conspirators who remain abroad and at large -- were charged with providing the blank credit cards that were encoded with stolen information.
The bigger suspects include Ukrainian Maksym Yastremskiy, accused of selling credit card numbers for more than $10 million, and Aleksandr Suvorov of Estonia, who allegedly supplied Yastremskiy with the numbers and related data.
The two were arrested after they had traveled on vacation to closer U.S. allies Turkey and Germany, respectively. Federal cyber-crime agents have complained privately for years about poor cooperation from most states formerly belonging to or allied with the old Soviet Union.
The Boston indictment charges Gonzalez, who is being held in New York, with computer fraud, wire fraud, aggravated identity theft and conspiracy. Fellow Miami residents Christopher Scott and Damon Patrick Toey were described as participants but not indicted, suggesting that they may be cooperating and expect to plead guilty.
In San Diego, prosecutors charged Yastremskiy, Suvorov, the Chinese nationals and a man known only as Delpiero with trafficking in unauthorized access devices and other offenses. In addition, a criminal complaint filed in San Diego accuses Sergey Pavlovich of Belarus and Dzmitry Burak and Sergey Storchak, both of Ukraine, of conspiracy to traffic in stolen credit card numbers.
Retailers have much to worry about with the loss of sensitive data. The initial disclosure by TJ Maxx triggered consumer lawsuits and legal fights with the banks that backed the credit and debit cards, forcing the company to set aside more than $100 million to deal with the issue.
The revelation capped years of data-loss horror stories emanating from companies, government institutions and elsewhere.
"TJ Maxx is kind of the granddaddy of them all," said Phil Dunkelberger, chief executive of encryption firm PGP Corp.
Security experts said some of the hacking feats described in the indictments were impressive. Suspects used a virtual private network, Internet security tunnels common at big companies, to funnel the stolen information to encrypted computers in Eastern Europe.
Others were trivial efforts, such as driving on U.S. 1 in Miami and looking for unsecured wireless networks at retailers. They hacked into the wireless systems and installed "sniffers" to record payment card information as it was transmitted within the company.
Retailers have generally improved their security in the last few years, forcing identity thieves to be more resourceful, Dunkelberger said.
More remarkable, experts said, was the mini-United Nations that came together in the enterprise, and the speed with which everyone acted when the data fell into their hands.
"The underground economy is a global economy, and there are hot spots, like China and Eastern Europe," said Alex Eckelberry, chief executive of security firm Sunbelt Software. "It is a full distribution channel, with people who steal the data, resell the data and use the data."
On Tuesday, TJX Cos. said banks and credit card agencies needed to work closely with retailers to protect customer privacy.
"The sheer number of retailers attacked by these cyber-criminals demonstrates the much broader challenges in protecting sensitive consumer data from this increasing threat," spokeswoman Sherry Lang said.
TJX has posted a customer alert on its website and on the sites of its retail chains, including TJMaxx and Marshalls, notifying shoppers of the identity theft and providing them with a toll-free number to call for more information.
DSW also has sent notification letters to affected customers whenever possible, spokeswoman Mitchell said. Altogether, about 1.4 million credit cards and electronic data on 96,000 checks were breached, she said.
BJ's Wholesale Club, OfficeMax and Forever 21 did not return calls seeking comment.
Many companies have been slow to improve security because customers haven't stopped shopping.
"Consumers, regardless of what they tell surveys, do not take this seriously," said Evan Shuman, editor of a blog on retail technology, StorefrontBacktalk.com.
"As long as they do not punish retailers that get breached, how can they cost-justify spending to prevent it?"
Times staff writer Michelle Quinn in San Jose contributed to this report.Copyright © 2014, Los Angeles Times