The Department of Justice today announced indictments of eleven people in connection with the TJX breach.
These aren’t the first people charged in connection with the TJX breach. Last year, six people pled guilty to using stolen TJX data in a counterfeit credit card ring. None of those people had any part in the TJX breach itself, though—they just created credit cards with the stolen data, which they had purchased from others. The people who stole the data from TJX in the first place hadn’t yet been caught.
It looks like that started to change last August, when Ukranian Maksym Yastremskiy, described as “the largest individual seller of card data” from the TJX breach, was arrested in Turkey. Yastremskiy is named in today’s indictments. The charges in the indictment include hacking into TJX and seven other retailers—the first time anyone has been charged with the intrusion itself.
The list of retailers these people are charged with hacking reads like a who’s who of major retail credit card breaches: “TJX Cos, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.” If this one group of people was involved in all those breaches, this is a very big deal.
Why is this remarkable, aside from being the latest news about almost every big credit card breach we know about? For starters, it highlights the international nature of Internet crime. The indictment names people from China, Ukraine, Estonia, Belarus, and the U.S. That’s why it’s so hard to find the sources of data breaches; the trail leads across oceans, possibly many times.
It also reinforces what security people have been saying for a while: the big security threats are no longer people writing worms and viruses. They’re organized crime rings making money, and trying to do so as quietly as possible. The number of countries all these people are from suggests an organized multi-national group, not just a few people happening on a security hole.
Finally, one other thing stands out in the AP article:
In May, TJX said it won support from Mastercard-issuing banks for a settlement that will pay them as much as $24 million to cover costs from the data breach. A similar agreement reached last November with Visa-card issuing banks also was overwhelmingly approved. That agreement set aside as much as $40.9 million to help banks cover costs including replacing customers payment cards and covering fraudulent charges.
Issuing banks have had a hard time trying to get courts to award damages for the cost of reissuing credit cards after a breach. Pennsylvania State Employees Credit Union tried it after the BJ’s Wholesale Club breach with no success. This may be the first public example of a breached merchant paying issuing banks for the cost of reissuing credit cards.
The AP article is phrased poorly; are the Mastercard and Visa card issuers set to receive $65M from TJX to cover the issuing banks’ costs from the breach/compromise?
Yes. That’s TJX’s settlement of the issuers’ lawsuits to recover the costs of reissuing cards, notifying customers, and so forth.
[...] by cla03333246 on Thu 04-12-2008 THE FBI AND CYBERCRIME Saved by jensjakob on Sun 23-11-2008 International Cooperation (Cybercrime Division) Saved by lrf77 on Fri 14-11-2008 Iraqi police force might need cybercrime training, too Saved by [...]