By Erika Morphy CRM Buyer Part of the ECT News Network
08/06/08 1:46 PM PT
The Department of Justice has mounted a massive prosecution to take down an identity theft ring that purloined millions of records from retailers and stole millions from their customers -- but the effort may do little to diminish the scale of the threat that's still out there.
Learn How You Can Protect Your Virtual Datacenter With Trend Micro™ Enterprise Security, powered by the Trend Micro Smart Protection Network™ infrastructure, you can mitigate risk and maximize the benefits of virtualization. Get the free eBook to learn how.
The Department of Justice has charged 11 people with the theft of millions of account numbers from a long list of U.S. big box retailers including TJ Maxx, OfficeMax, Barnes & Noble, Boston Market, BJ's Wholesale Club, Forever 21, DSW, Dave & Buster's and Sports Authority.
Albert "Segvec" Gonzalez was the ringleader, according to the indictments, which were unsealed in San Diego and Boston. He is being held in New York on charges of computer fraud, wire fraud, access-device fraud, aggravated identity theft and conspiracy -- a roll call of crimes that could net him life in prison if he's convicted.
Others named in the indictment include three Americans, three Ukrainians, two Chinese nationals and two Eastern Europeans from Belarus and Estonia.
The account information was sold to other criminals who were able to cash out tens of millions of dollars, according to the indictments. Banks in Eastern Europe allegedly laundered the money.
The activities attributed to this group are at the center of the largest and most complex identity theft case ever built in the U.S., according to the prosecutors.
"If nothing else, this shows that data breaches and identity theft have become global crimes," Matt Cullina, CEO of
Identity Theft 911, told CRM Buyer.
The sheer scale of this case, he said, will hopefully serve as a wake-up call to retailers that have not implemented necessary security precautions.
"There are too many retailers out there that are simply unprepared for this kind of crime, both in preventing it and then in how to notify customers," he remarked.
Low-Tech Access
The breathtaking scale of the hack attack belies the low-tech means by which the identity thieves were able to acquire the information. Essentially, they hacked into unsecured or minimally secured WiFi networks from the retail stores' parking lots -- a threat risk that was well known back in 2001. In one case, they were able to access the retailers' corporate database from a local wireless connection.
This crime wave -- and its subsequent public unveiling -- have left the retailers red-faced and, in the case of TJX, much poorer. The company has already agreed to pay more than US$60 million to credit card networks to settle complaints -- one of the largest settlements on record. Its IT operations will also be audited every two years for the next 20 years.
All told, the store will spend more than $150 million in costs related to the breach, said Phil Neray, VP at
Guardium.
The attackers took advantage of some sophisticated technologies, he told CRM Buyer. Sniffer programs were installed on point-of-sale devices in many of the stores, for example. One hacker was able to access data in TJX's main data center in Framingham, Neray noted, through a wireless access point in Miami. Even that could have been prevented, though, if the retailer had properly segmented its network and installed monitoring technology in the data center.
One potential plus from this event, Neray suggested, is that the industry's understanding of what constitutes reasonable and appropriate security is likely to broaden.
Right now, retailers' security is abysmal, Michael Maloof of
TriGeo Network Security told CRM Buyer. "Wireless systems can be easily secured -- if only by walking through a store's parking lot with a laptop to make sure you are not transmitting."
Customer data theft may be even more rampant than this particular case indicates. "Many stores don't know they have been hacked until complaints are made," Maloof commented.
The level of attacks is probably far higher than retailers or consumers want to acknowledge, echoed Jay Valentine, vice president of
TDI.
"Companies are getting hacked internally -- particularly retailers -- every day," he told CRM Buyer. "The dirty little secret is that IT security people know it but are powerless to stop it, so they do nothing."
Consumer Issue
The charges no doubt will revive the debate over when -- and in how much detail -- a retailer should inform customers that their accounts might have been compromised.
"What we are seeing are cases in which disclosure by the retailer happens only after a period of weeks or months," Paul Davie, COO and cofounder of database security provider
Secerno, told CRM Buyer.
"Ethically, these retailers need to let customers know if their data has been compromised as quickly as possible, so they can change credit cards and track for fraudulent charges."
P2P File-Sharing Sinks Ships July 10, 2008
"Data security" may soon rank right up there alongside "military intelligence" as an oxymoron of the high-tech era. If it's not lost or stolen laptops, it's hackers breaking into sloppy networks -- or perhaps thousands of unwitting music lovers sharing sensitive corporate secrets along with the latest hot tracks.
Related Stories
TJX to Shell Out $41M in Data Breach Settlement November 30, 2007
A key lesson from the TJX case may be that businesses have to do more than invest in security solutions, said Cliff Pollan, the chief executive officer of data auditing solutions firm Lumigent. "Companies need to demonstrate that proper policies and procedures are in place, are being adhered to and that they are in fact making their data more secure," Pollan told the E-Commerce Times.
TJX Asked Too Much, Protected Too Little, Say Canadian Officials September 26, 2007
Retail conglomerate TJX, the company from which millions of peoples' credit card information was stolen several months ago, was reprimanded by Canadian officials in a report. The Office of the Privacy Commissioner said the retailer took too much information from customers and held it for too long, thus allowing more data to be compromised should the system be hacked.
45.7 Million Credit Cards Exposed in TJX Data Theft March 29, 2007
TJX this week revealed that its May 2006 data breach compromised at least 45.7 million customer credit and debit cards over the course of several years. Another 455,000 customers who returned merchandise without receipts had their personal data stolen, including driver's license numbers, the company stated, adding that the breach could be as far-reaching as the UK and Ireland.
Related News Alerts
More by Erika Morphy
Palm Beats Itself to a Pulp March 19, 2010
Palm's inability to excite consumers over the Pre is a colossal marketing failure, suggested Patrick Gilbert, CEO of 4Smartphone. "This is not a tech or design issue -- the problem is they haven't been able to reach out to users or the developer community," he said.
Survey Totes Up Value of Excellent Online Customer Service March 19, 2010
There's gold in the e-commerce hills for companies willing to take their customer service to a higher level. Consumers are willing to pay almost 11 percent more to get excellent customer service along with their purchases, according to an Ovum survey, yet few e-tailers meet that standard. Heading a list put together by StellaService, which commissioned the study, are Zappos.com, Diapers.com and BlueNile.com.
Twitter Flies the Coop March 16, 2010
Twitter has found a way to flit around to other Web locales through a feature called "@anywhere." Amazon, eBay, The Huffington Post, YouTube and others will be able to open a Twitter window to users, allowing them to send and receive messages without leaving the site. Social media marketers are salivating at the possibilities.
Headline Feeds
Talkback: 
