Major hacking ring exposed in US – 40 million cards stolen

6 Aug 2008

In what’s believed to be the largest hacking and identity theft case ever prosecuted by the Department of Justice in the US, 11 people from five countries have been charged with stealing over 40 million credit and debit card numbers.

Three of the defendants are US citizens, one is from Estonia, three are from Ukraine, two from the People’s Republic of China and one is from Belarus. One individual is only known by an alias online, and his place of origin is unknown.

The indictment alleges that this ring of conspirators obtained the credit and debit card numbers by ‘wardriving’ and hacking into the wireless computer networks of major retailers – including TJX companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.Wardriving is the term for finding and marking the locations and status of wireless networks.

“The announcement is good news. A lot of people’s credit card numbers were exposed, including possibly people in Ireland who shopped in TK Maxx here,” said Brian Honan of IT security company, BH Consulting.

“These people [allegedly] hacked into the wireless network used by TJX in stores and installed programmes on the network that enabled them to scan or sniff the network traffic going in and out of the company.

“Gradually, they set up their own messaging system within the network, similar to a legitimate intranet. This case shows that TJX’s wireless network was not very secure and it wasn’t monitoring strange traffic. Any company that takes security seriously would have its network secure and monitor constantly for suspicious activity.”

The indictment alleges that after they collected the data, the conspirators concealed it in encrypted computer servers they controlled in eastern Europe and the US. They allegedly sold some of the credit and debit card numbers, via the internet, to other criminals. The stolen numbers were ‘cashed out’ by encoding card numbers on the magnetic strips of blank cards. The defendants then used these cards to withdraw tens of thousands of dollars at a time from ATMs.

“So far as we know, this is the single largest and most complex identity theft case ever charged in this country,” said Attorney General, Michael Mukasey. “It highlights the efforts of the Justice Department to fight this pernicious crime and shows that, with the cooperation of our law enforcement partners around the world, we can identify, charge and apprehend even the most sophisticated computer hackers.”

US Attorney, Michael Sullivan, said: “While technology has made our lives much easier, it has also created new vulnerabilities. This case clearly shows how strokes on a keyboard with a criminal purpose can have costly results. Consumers, companies and governments from around the world must further develop ways to protect our sensitive personal and business information and detect those, whether here or abroad, that conspire to exploit technology for criminal gain.”

Here in Ireland, Honan has been campaigning for the past couple of years for the Government to introduce data breach disclosure laws – in other words, that companies here and elsewhere would be legally obliged to inform Irish citizens that they are holding their credit card details.

By Sorcha Corcoran