US authorities have charged 11 people from five countries with stealing tens of millions of credit and debit card numbers from major retailers, including TJX, in one of the largest identity-theft schemes on record.
The US attorney in Boston said the ring also stole 41 million credit and debit card numbers from retailers BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.
TJX, which owns the TK Maxx chain in the UK, was the hardest hit - acknowledging last year that data from 45.7 million credit cards was stolen from its computers, with as many as 94 million compromised in total.
The scheme originated with a Miami man - a one-time government informant - who drove around Miami with a laptop computer looking to hack into wireless networks, authorities said. It ended with consumers, retailers and banks losing tens of millions through fraudulent transactions.
Three people from the US, three from the Ukraine, two from China, one from Estonia and one from Belarus were all charged. An 11th defendant was not identified.
"Computer crimes are not confined within national borders," US Attorney General Michael Mukasey told reporters. "Criminals can now operate from almost anywhere on the global to steal personal information from almost anywhere on the globe."
The ring, which authorities said was headed by Albert Gonzalez, hacked into retailers' computer networks to steal the data, which was stored on computer servers in the US and Eastern Europe.
The ring sold the numbers to people in the US and Europe for thousands of dollars. The buyers then withdrew tens of thousands of dollars at a time from automated teller machines, officials said.
Authorities did not know the total amount of money stolen, but Michael Sullivan, the US attorney in Boston, said it was in the "tens of millions of dollars."
Gonzalez, being held by New York authorities on another computer hacking charge, was charged with computer fraud, wire fraud, access-device fraud, aggravated identity theft and conspiracy.
Gonzalez was working as an informant in a separate US Secret Service hacking investigation when authorities learned he was using information from their probe to help fellow hackers avoid arrest, authorities said.
"Obviously we weren't happy that someone we had working for us as an informant was double-dealing," said Michael Sullivan, director of the US Secret Service.
Gonzalez faces life in prison if convicted on all charges.
TJX agreed since disclosing the breach to pay more than $60 million (30 million) to credit card networks Visa and MasterCard to settle complaints related to the theft - one of the largest on record based on the number of accounts involved.
"The sheer number of retailers attacked by these cyber criminals demonstrates the much broader challenges in protecting sensitive consumer data from this increasing threat," said Sherry Lang, senior vice president at TJX.
The vulnerability that Gonzalez exploited has been around "as long as we have had Wi-Fi" wireless networks," said Ted Julian, vice president of strategy and marketing at Application Security, a maker of database security software.
With multiplying entry points into corporate networks via wireless store networks, cash registers and even in-store computer kiosks for job applicants, hackers have more weak spots to exploit.
Corporations may need to protect specific internal databases that contain sensitive consumer data, Julian said.
"Rather than locking every single door, let's get all the safes," Julian said. "Not that we don't want to lock the doors, but if that worked, then we wouldn't be in this mess."
