TJX Thieves Deployed Their Own Security Measures

Before federal authorities cracked down on a multi-national 11-person cyber-crime ring, the group created its own VPN to, ironically, protect their stolen data as it was transmitted from Florida to Latvia.

But now, the security of the accused thieves' data loot is the least of their problems. Indictments and informations released Tuesday (Aug. 5) charge the 11 conspirators with stealing 41 million credit and debit card numbers from major retailers including TJX.

The government dubbed this the largest hacking and identity theft case ever prosecuted by the Department of Justice. The data thieves were able to grab credit and debit card information from TJX, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW, the statement said.

Of the 11 who were charged, only three—Maksym "Maksik" Yastremskiy, of Kharkov; Aleksandr "Jonny Hell" Suvorov, of Sillamae, Estonia; and Albert Gonzalez, of the United States—are in custody.

Gonzalez was charged with computer fraud, wire fraud, access device fraud, aggravated identity theft and conspiracy for his role in the scheme.

He had been arrested by the Secret Service in 2003 for access device fraud. While he was working as a Secret Service confidential informant on this case, officials said, he started illegally leaking information to other suspects involved. Gonzalez faces a maximum penalty of life in prison if he is convicted of all the charges.

Gonzalez "used sensitive law enforcement information, obtained by Gonzalez during the course of his 'cooperation' in a U.S. Secret Service undercover investigation, to warn off conspirators and ensure that they would not be identified and arrested in the course of that investigation," the indictment said.

Two other men, Christopher Scott and Damon Toey, also of the United States, were charged by informations, not indictments. An information is a federal charging mechanism that is similar to an indictment but does not require a grand jury. Typically, it is used either with federal misdemeanors or with federal felony cases that are expected to plea bargain imminently.

In this case, both Scott and Toey are cooperating with the investigation, said Michael Sullivan, the U.S. Attorney for Massachusetts.

"We're absolutely confident that we know precisely where those two defendants are," Sullivan said. "And we're absolutely confident that those two defendants, when they're required to appear before the court, will appear before the court to be arraigned."

The other five conspirers—Hung-Ming Chiu and Zhi Zhi Wang, both of the People's Republic of China; Sergey Pavolvich, of Belarus; and Dzmitry Burak and Sergey Storchak, both of Ukraine—are at large.

There's also an indictment against a person known only by the online nickname "Delpiero" and an alias Fnu Lnu.

For at least five years, the 11 conspirers used several tactics to gain access to retailers' networks. They breached networks using wireless access points, sniffers to monitor and steal password and account information, and cashed out stolen track 2 data by encoding the data on the magnetic stripes of blank credit/debit cards and using them at ATMs, according to the Gonzalez indictment.

Federal authorities applauded the sophistication of the group's operational structure. But they found the techniques they used to not be sophisticated at all. It was more a matter of the security of the retailers being especially weak, rather than the technology of the defendants being particularly strong.

At some point in 2003, Gonzalez found payment card data that was accessible at an unencrypted wireless access point utilized by a BJ's store. Gonzalez and Scott then used this point to obtain track 2 data of BJ's customers, according to the indictment.

The next year Scott used the same tactic to breach a Miami Office Max. "The pair were able to locate and download customers' track 2 debit card data, including encrypted PINs, on OfficeMax's payment card transaction processing network."

The breach of TJX data began on July 12 and 18, 2005, when Scott compromised two wireless access points operated by TJX at Marshalls department stores in Miami, Fla., and then transmitted computer commands to the company's servers that process and store payment card transaction data in Framingham, Mass.

They later downloaded payment card information that was stored in TJX data. In mid-2006, Scott "installed and configured a VPN connection from a TJX payment card transaction processing server to a sever obtained by Gonzalez."

By August 2007, Toey and Gonzalez began focusing on Internet-based attacks and one of their targets was Forever 21, while continuing to use wireless access points. They were so good, that they almost got in and out without any of the retailers ever discovering them.

Although when the thieves attacked one retailer--not coincidently the final one--they did trip the alarm. That retailer was the only one not named in the indictment.