Analysis: The biggest identity fraud in history

IT PRO looks at how millions of credit and debit card numbers were stolen from US and UK retailers, and examines how taking this case to court could help the international fight against identity theft.

The figures are staggering. Tens of millions of credit and debit card numbers stolen and sold around the world. Tens of thousands of pounds stolen from cash machines.

One retailer has already been forced to pay 30 million to Visa and MasterCard to compensate them for the cost of handling complaints, refunding stolen money and replacing cards.

Advertisement - Article continues below

However, law enforcement has finally caught up with what is believed to be an international crime syndicate, which used unsecure Wi-Fi networks and laptop computers to access and steal valuable data from a number of retailers including TJX, which owns British clothing chain TK Maxx.

So how exactly was it possible for hackers to steal this much data and actually use it?

"It apparently involved quite sophisticated hacking of the retailers' wireless networks and the retrieval of large volumes of payment card data over an extended period of time," said David Hobson, managing director of Global Secure Systems.

He said that if businesses were to avoid a similar situation occurring, they would need to make sure that all entry points to the corporate network were properly defended.

"That involves using lengthy encryption passwords and changing all the access points' passwords from their default settings," he said

Advertisement - Article continues below

"It's all very well using complex encryption passwords, but if you've left the admin password on your wireless router at its default setting, you might as well not bother using encryption in the first place," he explained.

Advertisement - Article continues below

Ray Stanton, global head of business continuity at BT, argued that it doesn't matter whether an individual gained access through a wireless network or any other method. It's about what they can do when they are in.

Stanton claimed that in the end it was a failure of the organisations involved to implement basic controls as well as maintain and monitor them.

He said: "Looking back this past six months, nearly, if not all of the notable' issues have all been to do with a lack of and failure to implement and maintain the basics'.

"Be it education of staff to taking care of information such as papers entrusted to them, to implementing technical controls and then monitoring and maintaining them."

The data theft occurred over what was said to be an 18-month period and was routed through the US, China and Eastern Europe.

Although individuals have been charged, questions about what has happened to the stolen data, whether it is still being used, and whether it was still costing customers remain unanswered.

Advertisement - Article continues below

The latter has not been helped by retailers keeping quiet about incidents in the fear that they would lose business.

"This happened for a period of time. We have no idea whether this is happening in the UK and Europe now. It's just not reported in the way that it mandatory in the US in a number of states," said George Fyffe, director of operations for EMEA at Application Security.

Fyffe said it was worrying that organisations like HM Revenue and Customs and other government departments thought that as data has not appeared, in effect the problem has gone away'.

"I'm not sure that's the case," said Fyffe. "If I had stolen that data, I think the last thing that I would want to do is to start using it while everyone is out there looking for it. I would sit back and wait. Let the dust settle and then begin to use it when people have forgotten about it."

Advertisement - Article continues below

David Emm, senior technology consultant at Kaspersky said that such a high profile case would put the problem back into the public eye the whole issue of personal data and how it was handled and looked after in the public domain.

He also said that the very fact that the criminals had been caught and charged from many countries showed that there was hope for the future even though there were still many barriers to consider when it came to countries working together.

Emm said: "It would be great if there was a cyber Interpol. The problem here is that we have crime without frontiers in the sense that the internet doesn't have political and or geographical boundaries.

"That said in the last five or ten years law enforcement agencies across the globe, particularly in the developed countries, have got skilled and experienced people working for them and they do cooperate to a large degree."

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Putting a spotlight on cyber security

An examination of the current cyber security landscape

Download now

The economics of infrastructure scalability

Find the most cost-effective and least risky way to scale

Download now

IT operations overload hinders digital transformation

Clearing the path towards a modernised system of agreement

Download now



University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular


How to find RAM speed, size and type

24 Jun 2020

Microsoft releases urgent patch for high-risk Windows 10 flaws

1 Jul 2020
data protection

EU institutions told to avoid Microsoft software after licence spat

3 Jul 2020