The graphic (click to enlarge) from today's story "On the Trail of a Global Crime Ring" in the New York Times provides us with more information regarding the members of the international identity theft ring.
Last week came the announcement that the DoJ had indicted 11 people in the 40 million card T.J. Max WarDriving Bust. I found it interesting that, until then, it T.J. Max had bore the brunt of being the company involved in the hackattack. In reality, there were 11 companies that were breached. (1 for each culprit indicted?) Why then, was T.J. Max so independently maligned? Why were the other companies nary a mentioned?
According to an article in the Wall Street Journal it's because...
Last week came the announcement that the DoJ had indicted 11 people in the 40 million card T.J. Max WarDriving Bust. I found it interesting that, until then, it T.J. Max had bore the brunt of being the company involved in the hackattack. In reality, there were 11 companies that were breached. (1 for each culprit indicted?) Why then, was T.J. Max so independently maligned? Why were the other companies nary a mentioned?
According to an article in the Wall Street Journal it's because...
...only four of the chains clearly alerted their customers to breaches. Two others -- Boston Market Corp. and Forever 21 Inc. -- say they never told customers because they never confirmed data were stolen from them. The other retailers -- OfficeMax Inc., Barnes and Noble Inc., and Sports Authority Inc. -- wouldn't say whether they made consumer disclosures. Computer searches of their Securities and Exchange Commission filings, Web sites, press releases and news archives turned up no evidence of such disclosures.The other companies allegedly targeted by the ring charged last week were: TJX Cos., BJ's Wholesale Club Inc., shoe retailer DSW Inc., and restaurant chain Dave and Buster's Inc. They each disclosed to customers they were breached shortly after the intrusions were discovered.
The disclosure issue emerged after the government charged 11 men in five countries, including the U.S., Ukraine and China, with orchestrating a high-tech operation to steal credit-card numbers from 2003 to 2008.
After an increasing number of such thefts in recent years, more than 40 states have adopted laws requiring companies to give consumers an early warning when their personal information is stolen. Companies typically have made disclosures by letter, whenever possible, and through public announcements on the Web sites and in press releases to the media. Disclosure allows consumers to act quickly to limit losses -- by canceling their credit cards, changing their passwords or setting up credit-monitoring services. The Federal Trade Commission estimates nearly $50 billion is lost annually as a result of identity theft and credit-card fraud, with part of it absorbed by banks.
"If I were the companies, I would be issuing public disclosures five nanoseconds after the indictments were announced," says Evan Stewart, an adjunct professor at Fordham University School of Law and an electronic-data breach expert. "If not, there could be big checks the companies will have to be writing" to cover consumer litigation, he said.
Dan Clements, chief executive of Affinion Security Center's CardCops unit, which monitors Internet chat-rooms for illegal trafficking of credit and debit cards, says many companies are reluctant to disclose breaches. "Telling the public that they've been breached is embarrassing for them, it makes them suffer a loss of goodwill and in the case of public companies, the stock price goes down."
OfficeMax has denied having any knowledge of a breach. New Jersey authorities who investigated the company in 2005 believed it was one of a number of retailers who was compromised, and last week's indictments describe how the defendants allegedly broke into their networks. Boston Market and Forever 21 say their own investigations couldn't corroborate the government's findings. Federal officials say they stand by the information in the indictments.
The indictments allege that one of the suspects, Christopher Scott and another man identified only by initials broke into the wireless network of an OfficeMax store in Miami in 2004 and gained access to credit-card data. Mr. Scott, through family members, declined to comment.
Authorities also said they discovered in 2005 that OfficeMax's computer systems had been breached by another group that obtained customer data and used it to make counterfeit credit cards. "We believe the [credit-card] information was coming out of an OfficeMax in North Carolina," said Lt. Tom Cooney, of the Hudson County Prosecutor's office in Jersey City, N.J. "It turned out that a number of the victims" were customers at the same OfficeMax.
Edward DeFazio, a Hudson County prosecutor, says investigators in the joint federal-state probe notified OfficeMax and other retailers that their systems had been breached in a card-theft ring. Fourteen people were arrested in March 2006.
That month, OfficeMax acknowledged in an SEC filing an "ongoing federal investigation involving legitimate debit-card use at various retailers that was later tied to fraudulent transactions outside the U.S." But the filing added that "we have no knowledge of a security breach at OfficeMax."
In a statement following last week's indictments, the Naperville, Ill.-based company said, "it would be inappropriate to express our views relating to an ongoing criminal investigation." It said it has cooperated with authorities in their probe and was "confident in the integrity and security of our systems."
Last week's indictments also describe "attacks on Forever 21," which operates more than 350 clothing stores. Prosecutors allege that sometime this year, Damon Patrick Toey, of Miami, broke into Forever 21's system and shared access with Albert Gonzalez, the group's alleged ringleader, "for the purpose of downloading credit-card information of customers of Forever 21." Lawyers for Mr. Gonzalez declined to comment. Mr. Toey couldn't be reached to comment.
Larry Meyer, spokesman for Forever 21, says that this spring, federal authorities notified the Los Angeles-based retailer that it was among several retailers whose computer systems were "potentially infiltrated" by a crime ring. Authorities "asked us to investigate for a breach," he says.
He says Forever 21 conducted an internal investigation but didn't find a sign of a breach. Therefore, he says, the company didn't notify customers that their credit-card information was potentially at risk. "There was no breach," he says. "There was nothing to tell people." He says Forever 21 believes it is only obligated to make a disclosure if it finds a breach.
He added that as a result of last week's indictments, the company was in discussions with federal authorities.
The indictments also allege that Boston Market, a fast-food chain based in Golden, Colo., was hit by credit-card thieves. Company spokeswoman Angela Proctor acknowledges that the company was notified by federal authorities in 2004 about a potential breach. She says it never disclosed the matter to consumers "because we couldn't find any definite information that we'd been breached."
Ms. Proctor now says it isn't likely the company will inform consumers "because there is no way for us to identify customers who might have been affected." She added, "The consumer always does have an opportunity to report fraudulent activities" to credit-card companies.
Barnes and Noble, the New York-based bookseller, issued a release last week saying it "had not received inquiries from credit card companies or customers about these alleged activities." A company spokeswoman declined to comment further.
Sports Authority, based in Englewood, Colo., didn't return phone calls.
TJX, the Framingham, Mass.-based owner of stores including T.J. Maxx, Marshalls, HomeGoods and A.J. Wright retail chains, says it has spent $202 million in expenses related to the breach, which compromised the cards of millions of its customers. Most of the money is being used to settle lawsuits brought by consumers and banks and to pay settlements with credit-card associations.
Write to Joseph Pereira at joe.pereira@wsj.com and Jennifer Levitz at jennifer.levitz@wsj.com
