Authorities investigating the massive holiday-season hack into
The arrests of Daniel Dominguez Guardiola and Mary Carmen Vaquera Garcia may indicate that stolen information from as many as 110 million Target customers is making its way through U.S. stores through small groups of shoppers with fraudulent cards.
Customs and Border Protection officers detained Guardiola, 28, and Garcia, 27, before turning them over to local authorities, McAllen Police Lt. Joel Morales said. Police had outstanding arrest warrants for Guardiola and Garcia alleging credit- and debit-card fraud.
The pair, both from Monterrey, Mexico, were found carrying 90 fraudulent payment cards, Morales said, and authorities eventually seized 22 more.
Morales said the connection to the Target hacking came from the
Target said last month that up to 40 million customers' credit and debit card accounts used for purchases at its stores nationwide were illegally accessed by cybercriminals from Nov. 27 to Dec. 15.
The Minneapolis company later said that hackers also may have taken the names and the home and email addresses of as many as 70 million in-store and online shoppers.
On Monday, Target spokeswoman Molly Snyder said the investigation is "active and ongoing" and referred questions about the McAllen arrests to local law enforcement.
McAllen police began receiving reports of fraudulent credit card use from local retailers last week, Morales said. Police launched an investigation, teaming up with ICE and the Secret Service.
Morales said federal law enforcement agencies are expected to file more charges against Garcia and Guardiola "in the near future." He said it was "too early" to say whether authorities are looking for more suspects.
Garcia and Guardiola are in a McAllen police holding cell and will be arraigned by Tuesday, Morales said.
Longtime security analyst Bruce Schneier said the arrests played out in a familiar way.
"It's not that we find criminals like this through cyber-forensics. We get them in the real world when they do something stupid," said Schneier, chief technology officer at cybersecurity firm Co3 Systems. "It's invariably how it works: Getting credit cards is easy. Turning it into cash is hard."
Schneier acknowledged, however, that the criminals who carried out the initial breach may not be the same ones who end up using the stolen data. Often, payment card account information is sold on the black market and used to make illegal purchases, he said.
Target is being sued by more than a dozen customers over the breach, as well as by a Seattle law firm accusing the retailer of ignoring earlier warnings about flaws in its protective systems.
Separately, Putnam Bank in Connecticut filed a federal complaint against Target alleging that the hack has resulted in "significant losses" for the bank as it reissues payment cards and reimburses customers for fraud-related losses.
"In a lot of ways, credit card fraud is irrelevant to most people because credit card companies are so efficient on making good on any damages," Schneier said.
The Target attack now appears to rank as the nation's biggest cybercrime against a single retailer. The 110 million potential victims could represent more than a third of the U.S. population.
"We're at a scale that has probably never been seen before," said Scott Mitic, senior vice president at consumer credit rating firm
The two batches of data were stolen simultaneously but affected different sets of data and customers.
Target disclosed the theft of the first batch Dec. 19, saying cyberthieves lifted primarily financial information from people who shopped at its stores and used credit or debit cards Nov. 27 to Dec. 15. The information stolen included customer names, card numbers and a security code encrypted in cards' magnetic strips.
The second batch, disclosed Jan. 10, encompassed largely personal information such as names, addresses, phone numbers and email addresses from shoppers online or in a store over an indeterminate amount of time.
Matching personal and financial details from the two batches, experts said, could clear a path for the culprits to make fraudulent purchases, siphon money from bank accounts or steal victims' identities.
Target has promised to offer affected customers free credit monitoring and identity theft protection for one year.
Last week, cyber-intelligence firm ISight Partners said a new piece of malicious software known as Kaptoxa has "potentially infected a large number of retail information systems." The company said it was working with the U.S. Secret Service when it made the discovery.
Neiman Marcus Group said this month that its customers' credit and debit card information also was stolen, although Social Security numbers and birth dates seemed to be safe.
The upscale retailer said that online shoppers weren't affected and that it had "no knowledge of any connection" to the Target breach.