Charges Filed in Massive TJX Breach

Alleged TJX hackers charged:

The Department of Justice indictment alleges that, after the gang collected the information from the different chains, members concealed the data in encrypted computer servers in Eastern Europe and the U.S. They allegedly sold some of the credit and debit card numbers via the Internet to other criminals in the U.S. and Eastern Europe. The stolen numbers were “cashed out” by encoding card numbers on the magnetic strips of blank cards; the defendants then used these cards to withdraw tens of thousands of dollars at a time from bank machines, according to the Department of Justice.

The alleged criminals are:
Albert “Segvec” Gonzalez, Christopher Scott, and Damon Patrick Toey, all from Miami, Florida.
Maksym “Maksik” Yastremskiy, of Kharkov, Ukraine.
Aleksandr “Jonny Hell” Suvorov, of Sillamae, Estonia.
Sergey Pavolvich, of Belarus.
Dzmitry Burak and Sergey Storchak, both of the Ukraine.
Hung-Ming Chiu and Zhi Zhi Wang, both of China.
a John Doe known only by the online nickname “Delpiero.”

Gonzalez, Yastremskiy, and Suvorov are the only ones in custody. This isn’t Gonzalez’ first brush with the law. He’s acted as an informant in the past for similar crimes involving access device fraud. He now faces life in prison.

According to reports, the brazen criminals left encrypted messages to each other on TJX’s networks.

Note to those of you still using WEP to secure your wireless networking: so was TJX. WEP is easily crackable. Use a stronger encryption scheme, such as WPA.

2 Responses to “Charges Filed in Massive TJX Breach”

  1. benjaminwright Says:

    Careful reading of the indictments of the TJX data thieves show that the media, card issuers and Federal Trade Commission over-reacted to the TJX incident. TJX was not as bad as we were led to believe. –Ben

  2. lucky Says:

    Wrong. TJX were as bad and oblivious as we were led to believe. To wit, many of the companies named in the indictments were oblivious that their security had led to mass fraud until they were notified the morning the indictments were unsealed. The lone exception that had some awareness is believed to be TJX, but their knowledge of the problem isn’t exculpatory. It’s pretty condemning:

    “Officials in the class-action lawsuits of the star victim in this case—TJX—differed on exactly when TJX learned of the breach. But the breach was not discovered by TJX’s internal systems nor by any TJX employee, sources familiar with the case said.”

    It’s also not known if these were the only infiltrators of TJX’s or the other companies named in the indictments. What *is* clear is that the companies listed were ignorant of the problems — including the fact the crooks were able to set up their own VPNs on those corporate servers.

    Not as bad? WTF is your definition of good, especially with someone to whom you entrust your credit card and other private information?

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: