11 charged in largest ID theft in U.S. history

Federal authorities said Tuesday that they had cracked the largest case of identity theft in U.S. history, charging 11 people in the theft of more than 40 million credit and debit card account numbers from computer systems at such major retailers as TJ Maxx and Barnes & Noble.

The three-year investigation by federal agencies and overseas allies brought home the global nature of the Internet's underground economy as agents tracked leads from China to Ukraine and picked up suspects in Turkey and Germany as well as the U.S.

The full scope of the damage may never be learned, but the Justice Department said the fraud reached at least into the tens of millions of dollars. Many potential victims have yet to be contacted.

"So far as we know, this is the single largest and most complex identity theft case ever charged in this country," U.S. Atty. Gen. Michael B. Mukasey said at a news conference in Boston, where he announced indictments handed up by grand juries there and in San Diego.

Mukasey also thanked other countries for cooperating and helping to coordinate arrests.

To the chagrin of the U.S. Secret Service, which handles many electronic fraud investigations, the trail led back to one of its own informants, Albert Gonzalez. Justice Department officials said Gonzalez served as the ringleader and double-crossed the agency by tipping off his cohorts. Prosecutors said Gonzalez could face a life term in prison.

TJ Maxx has become the latest high-profile target in the identity theft epidemic, an evolving type of fraud estimated to affect 15 million U.S. residents a year at a cost of $50 billion.

"Credit cards are constantly being stolen in different ways," said Lance James, chief technology officer at the identity theft tracking firm Secure Science Corp. "There will be more surprises to come."

Besides TJ Maxx and Barnes & Noble, other retailers that lost data to the hackers were Sports Authority, BJ's Wholesale Club, OfficeMax, Boston Market, Forever 21, DSW and TJ Maxx's sister company, Marshalls.

TJX Cos., which owns TJ Maxx and Marshalls, discovered the security breach in its system in late 2006 and announced it early the next year. Likewise, shoe retailer DSW discovered the breach in 2005, contacted federal law enforcement officials and posted a customer alert on its website. It contacted credit card companies and hired a computer security firm to investigate the breach, spokeswoman Debbie Mitchell said.