Add to del.icio.us     Digg this

August 7, 2008

The U.S. Department of Justice has charged no less than eleven individuals with the outright theft of millions of account numbers from a list of U.S. consumer retailers including Sports Authority, OfficeMax, Barnes & Noble, TJ Maxx, DSW, Boston Market, Forever 21, BJ's Wholesale Club and Dave & Buster.

According to officials at the DoJ, Albert Gonzalez was the ring leader, according to the indictments, which were unsealed today in San Diego and Boston. Gonzalez is being held in New York on charges of computer fraud, wire fraud, access-device fraud, aggravated identity theft and conspiracy -- multiple crimes that could earn him life in prison if he's convicted on all counts.

The DoJ says the account information was sold to other criminals elsewhere who were able to cash in on tens of millions of dollars, according to the indictments. Banks in Eastern Europe allegedly laundered the loot.

Other individuals named in the indictment include three Americans, three Ukrainians, two Chinese nationals and two Eastern Europeans from Belarus and Estonia. The activities attributed to this group are at the center of the largest and most complex identity theft case ever built in the U.S., according to the DoJ prosecutors.

Matt Cullina, CEO of Identity Theft 911 said "if nothing else, this shows that data breaches and identity theft have become major crimes and of global proportions. They need to be addressed swiftly and without wasting any time."

Cullina added that the sheer scale of a case like this will hopefully serve as a wake-up call to online retailers that have not implemented necessary security precautions. "There are too many retailers out there that are simply unprepared for this kind of crime, both in preventing it and then in how to notify customers," he remarked.

The breathtaking scale of the hack attack belies the low-tech means by which the identity thieves were able to acquire the information. Essentially, they allegedly hacked into unsecured or minimally secured Wi-Fi networks from the retail stores' parking lots -- a threat risk that was well known back as early as 2001.

In one case, they were able to access the retailers' corporate database from a local wireless connection.

This crime wave -- and its subsequent public unveiling -- have left the retailers red-faced and, in the case of TJX, much poorer. The company has already agreed to pay more than US $60 million to credit card networks to settle many complaints -- one of the largest settlements on record.

Its IT operations will also be closely scrutized and audited every two years for the next twenty years.

All told, TJX will spend more than $150 million in direct costs related to the breach, said Phil Neray, V.P. at Guardium.

One potential plus from this event, Neray suggested, is that the industry's understanding of what constitutes reasonable and appropriate security is likely to be broaden extensively.

The criminals took advantage of some sophisticated technologies. Sniffer programs were installed on point-of-sale devices in many of the stores, for example. One hacker was able to access data in TJX's main data center in Framingham through a wireless access point in Miami.

Even that could have been prevented, though, if the retailer had properly segmented its network and installed monitoring technology in its data center.

More disturbing, customer data theft may be even more frequent than this particular case initially indicates. "Many retail stores simply don't know they have been hacked until official complaints are being made," said Neray.

Right now, retailers' security is abysmal, Michael Maloof of TriGeo Network Security said. "Wireless systems can be easily secured -- if only by walking through a store's parking lot with a laptop to make sure you are not transmitting."

The sheer level of attacks is probably a lot higher than retailers or consumers want to acknowledge, echoed Jay Valentine, vice president of TDI. "Companies are getting hacked internally -- particularly retailers -- almost every day. IT security people know it but are powerless to stop it effectively, so they simply don't do anything about it."

"What we are seeing here are cases in which disclosure by the retailer happens only AFTER a period of weeks or months," Paul Davie, COO and cofounder of database security provider Secerno said.

He added "ethically, these retailers need to let customers know if their data has been compromised as quickly as possible, so they can change credit cards and track for fraudulent charges. But in the majority of the security breaches we've seen, it almost never happens."

These criminal charges no doubt will revive the debate over when -- and in how much detail -- a retailer should inform customers that their accounts might have been compromised.

Add to del.icio.us     Digg this

Source: The U.S. Department of Justice.

Save Internet Security.ca's URL to the list of your favorite web sites in your Web browser by clicking here.

Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.

You can link to the Internet Security web site as much as you like. Read our section on how your company can participate in our reciprocal link exchange program and increase your rankings in the major search engines such as
Google and all the others.