The largest instance of consumer data theft on record occurred in 2007, perpetrated by a cabal of hackers who used the poorly secured wireless network of a Marshalls store to digitally infiltrate the massive customer database housed at the company's corporate headquarters. One of the 11 suspects charged with carrying out the scheme has pleaded guilty to the crime and is scheduled to be sentenced in December.
The TJX heist was part of a WiFi crime spree that also targeted Barnes and Noble, OfficeMax, and other unidentified retailers. The crooks stole over 40 million credit card numbers and a large volume of other customer data, including social security numbers. They used a laptop and directional antenna to crack the WEP encryption used by the retailers.
As we noted when we looked at the technical details of the crime last year, the widespread use of WEP security by these companies should be viewed as gross negligence—methods of compromising WEP are well-documented and easy to carry out. The financial damages from the TJX hack are estimated at over $1 billion and continued for a period of five years; the company is facing lawsuits from hundreds of banks.
Damon Patrick Toey, who helped the group pilfer information from database servers by exploiting SQL injection vulnerabilities, cut a deal with the prosecution to obtain lenient sentencing in exchange for cooperation. He pleaded guilty to credit card fraud charges and turned over his profits from the data theft. Toey will provide law enforcement agents with details about other undisclosed hacks that were carried out by the group.
Toey's testimony could help build a case against other members of the group. Its leader, Albert Gonzalez, has pleaded not guilty and continues to deny the charges. Gonzalez was previously busted in 2003 and was cooperating with the secret service as an informant when he was implicated in another credit card theft scheme that targeted a restaurant chain. He could face a life sentence if convicted on all charges.
United States law enforcement organizations have been aggressive in their pursuit of the culprits behind the TJX hack and aim to send a tough message to credit card crime rings.
"Through coordinated commitment, the United States Secret Service and the Department of Justice will penetrate and prosecute hacker organizations, wherever based and however sophisticated," said Southern California district attorney Karen P. Hewitt last month when charges were brought against some of the conspirators.
The scope of the TJX fiasco demonstrates, however, that retailers need to be the ones hearing some tough talk. There is no excuse for depending on grossly inadequate security measures to safeguard sensitive customer data. The volume of information that the TJX hackers were able to obtain reflects the need for companies to start taking security more seriously.Posted on