Federal authorities said Tuesday that they had cracked the largest case of identity theft in U.S. history, charging 11 people in the theft of more than 40 million credit and debit card account numbers from computer systems at such major retailers as TJ Maxx and Barnes & Noble.
The three-year investigation by federal agencies and overseas allies brought home the global nature of the Internet's underground economy as agents tracked leads from China to Ukraine and picked up suspects in Turkey and Germany as well as the U.S.
The full scope of the damage may never be learned, but the Justice Department said the fraud reached at least into the tens of millions of dollars. Many potential victims have yet to be contacted.
"So far as we know, this is the single largest and most complex identity theft case ever charged in this country," U.S. Atty. Gen. Michael B. Mukasey said at a news conference in Boston, where he announced indictments handed up by grand juries there and in San Diego.
For The Record
Los Angeles Times Tuesday, August 12, 2008 Home Edition Main News Part A Page 2 National Desk 1 inches; 26 words Type of Material: Correction
Identity theft: An article in Wednesday's Section A about federal authorities' cracking a major identity-theft case misspelled the last name of blogger Evan Schuman as Shuman.
Mukasey also thanked other countries for cooperating and helping to coordinate arrests.
To the chagrin of the U.S. Secret Service, which handles many electronic fraud investigations, the trail led back to one of its own informants, Albert Gonzalez. Justice Department officials said Gonzalez served as the ringleader and double-crossed the agency by tipping off his cohorts. Prosecutors said Gonzalez could face a life term in prison.
TJ Maxx has become the latest high-profile target in the identity theft epidemic, an evolving type of fraud estimated to affect 15 million U.S. residents a year at a cost of $50 billion.
"Credit cards are constantly being stolen in different ways," said Lance James, chief technology officer at the identity theft tracking firm Secure Science Corp. "There will be more surprises to come."
Besides TJ Maxx and Barnes & Noble, other retailers that lost data to the hackers were Sports Authority, BJ's Wholesale Club, OfficeMax, Boston Market, Forever 21, DSW and TJ Maxx's sister company, Marshalls.
TJX Cos., which owns TJ Maxx and Marshalls, discovered the security breach in its system in late 2006 and announced it early the next year. Likewise, shoe retailer DSW discovered the breach in 2005, contacted federal law enforcement officials and posted a customer alert on its website. It contacted credit card companies and hired a computer security firm to investigate the breach, spokeswoman Debbie Mitchell said.
But some other companies weren't aware that hackers had broken into their databases until Tuesday and, therefore, hadn't notified customers about possible identity losses -- as may be required under the laws of California and some other states.
Barnes & Noble "had not received inquiries from credit card companies or customers about these alleged activities," company spokeswoman Mary Ellen Keating said.
Angela Proctor, spokeswoman for restaurant chain Boston Market, said her company had detected a "potential data compromise" at one location in Florida in late 2004. But an outside audit couldn't confirm that any data had been compromised, she said, so no notifications were issued.
She said the company was still unsure whether customers' data had been stolen, though the indictments stated that Gonzalez and six others had access there.
Secretary of Homeland Security Michael Chertoff, who was in Silicon Valley to discuss Internet security Tuesday, said that the government would leave it to the companies to warn customers. He said the government lacked the authority to notify consumers.
The break in the case began when a handful of people were arrested in Florida last year, not long after TJ Maxx revealed that it had been hacked. They were caught trying to buy goods at Wal-Mart by using fake credit cards that had been encoded with the account numbers and other data lifted from TJ Maxx.
Some began cooperating, and the trail led to such members-only websites as DumpsMarket.net, as well as to Internet chats and Web transactions in the millions of dollars.
Two Chinese nationals -- who are among several accused conspirators who remain abroad and at large -- were charged with providing the blank credit cards that were encoded with stolen information.
The bigger suspects include Ukrainian Maksym Yastremskiy, accused of selling credit card numbers for more than $10 million, and Aleksandr Suvorov of Estonia, who allegedly supplied Yastremskiy with the numbers and related data.
The two were arrested after they had traveled on vacation to closer U.S. allies Turkey and Germany, respectively. Federal cyber-crime agents have complained privately for years about poor cooperation from most states formerly belonging to or allied with the old Soviet Union.