Skip to main content

Justice: Hackers steal 40 million credit card numbers

  • Story Highlights
  • 11 people indicted in largest hacking case, Department of Justice says
  • Defendants are from across the globe: U.S.; Estonia; Belarus; China
  • They allegedly hacked into the computer systems of nine major U.S. retailers
  • Documents say the group installed "sniffer" programs to capture card numbers
  • Next Article in Crime »
Decrease font Decrease font
Enlarge font Enlarge font

(CNN) -- Eleven people were indicted Tuesday for allegedly stealing more than 40 million credit and debit card numbers, federal authorities said.

Attorney General Michael Mukasey said the effects of identity theft are sometimes felt by victims for years.

Attorney General Michael Mukasey said the effects of identity theft are sometimes felt by victims for years.

The indictments, which alleged that at least nine major U.S. retailers were hacked, were unsealed Tuesday in Boston, Massachusetts, and San Diego, California, prosecutors said.

It is believed to be the largest hacking case that the Justice Department has ever tried to prosecute.

Three of the defendants are from the United States; three are from Estonia; three are from Ukraine, two are from China and one is from Belarus.

The remaining individual is known only by an alias and authorities do not know where that person is.

Under the indictments, three Miami, Florida, men -- Albert "Segvec" Gonzalez, Christopher Scott and Damon Patrick Toey -- are accused of hacking into the wireless computer networks of retailers including TJX Companies, whose stores include Marshall's and T.J. Maxx, BJ's Wholesale Club, OfficeMax, Barnes and Noble and Sports Authority, among others.

The three men installed "sniffer" programs designed to capture credit card numbers, passwords and account information as they moved through the retailers' card processing networks, said Michael Sullivan, the U.S. attorney in Boston.

"This has other personal numbers that could give them access to credit or debit cards that have already been issued and are active," Sullivan told CNN. Have you been a victim of identity theft?

The probe began in late 2006, Sullivan said. In addition to the Justice Department, the Secret Service has been conducting an undercover investigation for more than three years through the U.S. attorney's office in San Diego, he said.

The three then concealed the data in encrypted computer servers they controlled in the United States and eastern Europe, the Justice Department said.

Some credit and debit card numbers were sold on the Internet, and were "cashed out" by encoding the numbers on the magnetic strips of blank cards. "The defendants then used these cards to withdraw tens of thousands of dollars at a time from ATMs," authorities said.

Gonzalez and the others used anonymous Internet-based currencies to conceal and launder their proceeds, as well as channeling funds through bank accounts in Eastern Europe, the department said.

"There are ties between all three districts and ties internationally that go all the way to the Ukraine and Latvia," Sullivan said. "The 41 million credit and debit numbers were used internationally."

Gonzalez was previously arrested in 2003 by the Secret Service on suspicion of access device fraud, the Department of Justice said, and was working as a confidential informant for the agency. However, the Secret Service discovered during the investigation that Gonzalez was involved in this case, authorities said.

The California indictment charged eight others with operating an international stolen credit and debit card distribution ring, selling stolen card information for personal gain -- millions of dollars, in at least one case, authorities said.

Three of the defendants in the most recent case, among them Gonzalez, were also charged in May in a related indictment in New York, Justice said. Those charges allege the three were engaged in a scheme to hack into computer networks run by the Dave & Buster's restaurant chain and steal credit and debit card numbers from at least 11 locations.

The three installed "sniffer" programs at the cash register terminals of the locations, capturing credit and debit card numbers, authorities said. At one location, the sniffer captured data for some 5,000 cards, causing some $600,000 in losses to the banks that issued the credit and debit cards.

Gonzalez is awaiting trial on the New York charges. The other two of the international defendants are also in custody, police said.

"Identity theft can involve a single criminal stealing the personal financial information of a single victim or, as it did here, it can involve a group of criminals stealing the credit card numbers of millions of people, many of whom may not even learn that they were victims for months or years," said Attorney General Michael Mukasey.

"Identity theft victims suffer well beyond the immediate financial costs; they suffer lost confidence in their privacy and security, as well as the emotional strain and the time it can take to repair damaged financial lives and credit histories. In many cases, the effects of these crimes can be felt for years after they are committed."

Mukasey and other officials said the case serves as a reminder that computer crimes can cross international borders.

"We have been working with countries around the world to identify and address technical vulnerabilities in computer networks, and to ensure that laws and procedures are adequate to deal with these kinds of crime," Mukasey said. "And we have been working closely with our international partners to crack specific cases when they take us beyond our borders."

CNN's Ninette Sosa contributed to this report.

All About U.S. Department of JusticeIdentity Theft

  • E-mail
  • Save
  • Print