A ring of identity thieves that targeted U.S. retailers used sophisticated and multifaceted attacks to steal more than 40 million credit and debit card numbers from TJX, OfficeMax, Barnes & Noble and other companies, according to court documents.
The attacks cost retailers and credit card companies tens of millions of dollars.
Members of the ID theft conspiracy used so-called wardriving techniques to find holes in wireless networks operated by retail stores. Once inside the networks, the thieves located and stole credit card transaction information stored on the retailers’ networks, according to court documents.
The thieves also installed so-called sniffer software to capture password and account data on the stores’ networks, and they used Internet-based attacks, including SQL injection attacks, to gain access to credit card databases.
The ID theft group stored the captured credit card numbers on compromised servers in the U.S., Latvia and the Ukraine, according to court documents. The thieves then encrypted the credit card numbers on those servers, according to the indictment document of Albert Gonzalez, the alleged ringleader of the ID theft scheme.
Gonzalez, of Miami, was indicted Tuesday in U.S. District Court for the District of Massachusetts on charges of computer fraud, wire fraud, access device fraud, aggravated identity theft and conspiracy. Ten other defendants have been indicted or charged with crimes in what’s believed to be the largest ID theft and computer hacking investigation in the history of the U.S. Department of Justice, the DOJ announced Tuesday.
The indictment document for Gonzalez, who was working as an informant for the U.S. Secret Service while allegedly engaged in the scheme, sheds some light on the ID theft operation. The thieves were able to encode credit card information on blank cards that were used to obtain tens of thousands of dollars from cash machines in single visits, the court document says.
Among the attacks detailed in the court document:
— In about 2003, Gonzalez and others found an unencrypted wireless access point at a BJ’s Wholesale Club store. BJ’s reported a breach of its computer networks in early 2004.
— In 2004, other members of the ID theft ring compromised an OfficeMax wireless access point in Miami, and they were able to steal credit card data. After law enforcement officials in 2006 identified OfficeMax as the victim of a data breach, the company said it hired an outside auditor to conduct an investigation and found no evidence of a security breach. An OfficeMax spokesman didn’t immediately return a message seeking comment.
— In July, September and November of 2005, alleged ID theft ring member Christopher Scott compromised two wireless access points operated by TJX at Marshalls department stories in Miami. Scott used his access to repeatedly transmit computer commands to TJX’s servers storing credit card information in Framingham, Massachusetts. TJX, which also owns TJ Maxx, HomeGoods and other retail outlets, reported data breaches in January 2007.
Cybersecurity experts said companies worried about being victims can learn from the attacks. Companies storing personal information need to take a comprehensive approach to data security, including encryption of credit card databases, notifications of suspicious behavior inside their networks and limitations on who can access the data, security experts said.
Companies should also install software patches quickly and make sure they know were sensitive data is located on their networks, added Ted Julian, vice president of strategy and marketing for computer security vendor Application Security. Many companies do not know where all their sensitive data is stored, due to IT worker turnover and other factors, he said.
Companies also need to analyze their risks and take a targeted approach to fixing problems, said Sam Curry, vice president of product management at cybersecurity vendor RSA.
Attacks have changed in recent years, with more organized, targeted campaigns, Julian said. “The hackers are much more focused, and they’ll try 38 doors, they’ll try 100 doors,” he said. “As soon as they find the one that’s unlocked, they’re on their way to the database. I don’t know that a lot of [IT] people are getting $10 million in their budget to roll out a bunch of new security measures.”
Companies should also examine whether the data they store is needed and how long they keep data, said Graham Cluley, senior technology consultant at Sophos, another cybersecurity vendor.
Companies have too long focused on perimeter defenses and not on protecting data inside their networks, Curry said. Retailers and other companies need to “wake up and take these threats seriously,” Curry said. “Make the cost to the bad guys too high for them to do it.”
The indictments announced Tuesday could raise awareness about cybersecurity, Curry added. And some high-profile convictions could serve as a deterrent to criminals.
But Curry and Cluley declined to point fingers at the retailers whose systems were compromised. While customers of the companies need to put pressure on them to improve security practices, the companies are victims, too, Cluley said.
“It’d be wrong to beat up the companies too much,” Cluley said. “Competing companies shouldn’t be feeling too smug, because how many of them can put their hands on their hearts and say, ‘this could never happen inside our organization?'”
The U.S. Federal Trade Commission, however, filed complaints against TJX, BJ’s Wholesale and DSW, a shoe retail chain targeted by the ID theft ring that reported a data breach in March 2005. DSW reported that more than 1.4 million credit card numbers were compromised, and losses ranged from US$6.5 million to $9.5 million.
As of mid-2005, BJ’s reported outstanding claims of $13 million related to the data breach. About 455,000 credit card numbers were taken in the TJX breaches, according to the FTC.
The FTC alleged that the three retailers did not take appropriate security measures to protect against the attacks.
The FTC announced a settlement with BJ’s in June 2005 requiring the company to implement a comprehensive information-security program and obtain audits by an independent third-party security professional every other year for 20 years. The agency announced a similar settlements with DSW in December 2005 and TJX in March of this year.
The FTC has not filed complaints against six other companies identified as data breach victims by the DOJ. Those companies are Dave and Buster’s, OfficeMax, Barnes & Noble, Boston Market, Sports Authority and Forever 21. An FTC official said she could not comment on possible complaints against those companies because the FTC does not comment on ongoing investigations.