[ISN] TJX stolen data used in Florida crime spree

From: InfoSec News (alerts@private)
Date: Thu Mar 22 2007 - 00:03:02 PST


By Matt Hines
March 21, 2007

Law enforcement officials in Florida have arrested six individuals 
suspected of carrying out a fraud scheme built around the misuse of 
credit card data stolen from retailer TJX Companies.

In partnership with the Gainesville Police Department, officials from 
the Florida Department of Law Enforcement said they have taken six of 10 
suspects into custody for allegedly using the TJX customer data to 
purchase large quantities of gift cards from discount chains Wal-Mart 
and Sam's Club.

The series of arrests marks the first specific instance of crime to be 
connected to the TJX data heist, although some banks have previously 
reported that accounts held by consumers affected by the incident had 
been used in attempted fraud around the globe.

Florida Department of Law Enforcement officials confirmed that they 
initially reported the crime ring to Framingham, Mass.-based TJX in Nov. 
2006. The retail chain began informing its customers about the data 
breach -- blamed on a computer systems intrusion -- in mid.-Jan. 2007.

TJX media representatives didn't immediately return call seeking comment 
on the arrests.

The suspects were reported by Florida law enforcement officials to have 
been traveling throughout the state buying large quantities of Wal-Mart 
gift cards with the stolen credit card accounts, and then redeeming the 
cards at other locations. Among the items purchased by the scammers were 
computers, gaming devices, and big-screen TVs.

Losses experienced by Wal-Mart and the banks issuing the credit cards 
total more than $8 million, and are still being calculated, according to 
Florida officials. The suspects arrested were charged with organized 
scheme to defraud, a first-degree felony, and had their bonds set at $1 
million each.

Arrested and booked in Metro-Dade County for the crime spree were Irving 
Escobar, age 18; Reinier Camaraza Alvarez, 27; Julio Oscar Alberti, 33; 
Dianelly Hernandez, 19; Nair Zuleima Alvarez, 40; and Zenia Mercedes 
Llorente, 23.

The Florida Department of Law Enforcement said that it has also issued 
warrants for four other people believed to be involved in the scheme.

The timeline established by the Florida arrests could help to shed light 
on the factors that pushed TJX -- which operates a handful of North 
American and European retail chains including T.J. Maxx, Marshalls, 
HomeGoods, and A.J. Wright -- to inform the public of its data breach.

On Jan. 17, TJX first reported that a computer systems intrusion may 
have compromised the personal data of an undetermined number of its 
customers, with hackers able to make off with individuals' credit card, 
debit card, and check information, along with data related to 
merchandise return transactions.

While the company has refused to reveal how many customers may be 
affected by the incident, TJX officials have confirmed that a majority 
of the data involved is related to people who shopped at its stores in 
the United States, Canada, and Puerto Rico during 2003, and between May 
and December 2006.

On Feb. 21, TJX announced that it had discovered a new set of IT systems 
intrusions that exposed the personally-identifiable information of its 
customers. Company officials said that in addition to the IT systems 
break-ins it detailed in January, it now believes that intruders also 
infiltrated its databases repeatedly during 2005.

Reports of crime connected to the TJX data theft first surfaced on Jan. 
24, when the Massachusetts Bankers Association reported that several 
banks in the state had observed instances of fraud specifically related 
to the accounts of consumers involved in the TJX incident.

The industry group said at the time that it had received reports of 
criminal activity carried out via debit and credit card accounts exposed 
in the heist in locations including Florida, Georgia, and Louisiana in 
the U.S., as well as in Hong Kong and Sweden overseas.

When TJX first reported the incident in Jan. 2007, company officials 
said they had become aware of the data theft in late 2006 but waited to 
begin informing customers of the breach in deference to ongoing law 
enforcement investigations, including those being carried out by the 
U.S. Department of Justice and U.S. Secret Service.

The Massachusetts Bankers Association, among others, publicly criticized 
the company for not moving to disclose the incident faster.

Over the last two years, more than 30 U.S. states have adopted new laws 
that establish more rigid guidelines for the reporting of consumer data 
exposure. A bill under consideration in Massachusetts would require 
organizations to inform consumers within five business days after a 
breach affecting their data is detected.

Visit the InfoSec News Security Bookstore

This archive was generated by hypermail 2.1.3 : Thu Mar 22 2007 - 00:14:59 PST