TJX Credit Card Hackers Busted – Largest US Data Breach

We reported on this case back in September 2007, the largest US data breach in history so far (45 million customer records!).

It seems like finally the people behind it have been busted, 11 people have been charged by US authorities.

The US authorities have charged 11 people in connection with the theft of credit-card details in the country’s largest-ever identity theft case.

They are accused of stealing more than 40 million credit and debit card numbers before selling the information.

They allegedly hacked into the computer systems of several major US retailers and installed software to access account details and passwords. Prosecutors said the alleged fraud was an “international conspiracy”.

It seems like a pretty well organised operation, internationally collaborated across multiple continents to hit multiple chains.

I’d guess they made quite some money out of it…but well now then are going to pay the price.

Three of those charged are US citizens. The others come from Estonia, Ukraine, Belarus and China.

The 11 suspects are alleged to have obtained card numbers, account information and password details by driving around neighbourhoods and hacking into wireless equipment.

They are said to have then concealed the information in computer servers both in the US and Europe.

The Department of Justice said the scam caused “widespread” losses among banks, retailers and ordinary consumers – although it did not put a precise figure on the financial damage.

It seems like the usual suspects when it comes to hacking though, eastern european countries and China of course!

They seem to have covered their tracks pretty well so I wonder how they got caught. It’ll be an interesting case to follow and see what kind of sentences they get.

And of course if there’s any extradition involved.

Source: BBC News (Thanks Navin)

Posted in: Legal Issues, Privacy

, , , ,

Latest Posts:

Socialscan - Command-Line Tool To Check For Email And Social Media Username Usage Socialscan – Command-Line Tool To Check For Email And Social Media Username Usage
socialscan is an accurate command-line tool to check For email and social media username usage on online platforms, given an email address or username,
CFRipper - CloudFormation Security Scanning & Audit Tool CFRipper – CloudFormation Security Scanning & Audit Tool
CFRipper is a Python-based Library and CLI security analyzer that functions as an AWS CloudFormation security scanning and audit tool
CredNinja - Test Credential Validity of Dumped Credentials or Hashes CredNinja – Test Credential Validity of Dumped Credentials or Hashes
CredNinja is a tool to quickly test credential validity of dumped credentials (or hashes) across an entire network or domain very efficiently.
assetfinder - Find Related Domains and Subdomains assetfinder – Find Related Domains and Subdomains
assetfinder is a Go-based tool to find related domains and subdomains that are related to a given domain from a variety of sources including Facebook and more.
Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.

23 Responses to TJX Credit Card Hackers Busted – Largest US Data Breach

  1. Finity August 12, 2008 at 1:31 pm #

    Hopefully they will make an example out of them. Odds are that information was sold before it was even in their hands!

  2. Navin August 12, 2008 at 1:46 pm #

    cheers :)

    Ya Finity I do agree wid U….many a time in such cases, its the middlemen (the skiddies) who get caught and get immortalized as “hackers” while the real l33t h@x0r5 rarely come into the picture!!

  3. gmckee August 12, 2008 at 1:57 pm #

    Yeah, hopefully they waited long enough to get the people behind the front line attackers. Otherwise it is just a waste of time.

  4. lyz August 12, 2008 at 3:39 pm #

    I’m new here. Found this great site thru google. Anyway, back to the topic. The online world will surely celebrate, (I think now celebrating), for the captivity of this guys. But as what you gentlemen have said, I hope the “real bad guys” that has been hiding in their masks also be caught. Surely, their time will come. And I can’t wait till that happens!

    Bookmarked the website! :)

  5. Brill August 12, 2008 at 10:42 pm #

    What is really scary is that there is no clues about what really happened with that information (from customer point of view).. I mean.. was it already sold? .. It seems that only those who stole the information have been caught but What happened with those who bought it?…. Have been the customers warned?
    As Darknet mentioned it looks like a well organised and international operation so I guess no Big fishes appeared even in the picture… :(
    @Lyz,… Wellcome.!!.. I read from this blog since some time ago but only started collaborating a few days ago… is really a very good place to be on the loop for security stuff

  6. Morgan Storey August 13, 2008 at 2:51 am #

    I think the info must have been sold and used because even my wife had a re-issue of her card due to a breach at around the same time as the TJX incident.
    Also if you listen to the podcast one of the presenters wifes got a new card after someone bought $500 worth of stuff with her card after the TJX incident. The funniest thing is weren’t they PCI certified…

    @Darknet: How do we submit articles? Do you want a hand approving posts, I am glad to be of service, I am not however in to different a timezone to you.
    Also on the spam issue(I got blocked posting this 5 times), and a captcha one of the other sites I post on uses it is free and looks pretty good.

  7. lyz August 13, 2008 at 4:47 am #

    Thanks Brill!

    I really need to be updated. Just today, two of the websites on our shared hosting has just been hacked. SQL vulnerabilities. :( This developers are really hard-headed. tsktsk

  8. Pantagruel August 13, 2008 at 6:57 am #

    It shows crime indeed doesn’t pay even though it might take quite some time before you’re actually caught.

    As some have mentioned before, big question is indeed did the compromised card holder companies inform their customers in any way or form. If the captured cc data has indeed been sold (multiple times I presume) and the involved companies disclosed little, the actuall loses will remain popping up.

    I guess the cc companies will be reluctant to admit being among those suffering from the TJX data breach (image and all that nonsense)

  9. zupakomputer August 13, 2008 at 4:57 pm #

    I commented on this same story at a forum, and listed a bunch of vulnerabilities about cards in general and online banking. Then the guy that had posted it tried to claim I made up the vulnerabilities, and he said this kind of fraud would only be prevented by the US adopting a chip & pin on credit cards.
    As if that would prevent it!

  10. eM3rC August 13, 2008 at 6:11 pm #

    The thing that scares me the most about busts like this is the information. Although the criminals have been caught there is no knowing where the information may have gone.

    Consider this. When they got the information they uploaded it to a file hosting server or some high tier hacker forum for their close colleagues to view and work with. The question is how many people had/have access to the information and what is still being done with it.

    I would also be willing to bet that some of it has been sold off for extra profit.

  11. Morgan Storey August 13, 2008 at 11:18 pm #

    I would say without doubt the responsible Credit card companies, cancelled the cards compromised and re-issued. So at least the cancelled ones are no longer of use to whoever had or still has access. My suggestion would be to those that think they may have been among the compromised (if you bought at TJX, odds on you were) just get the cards re-issued for the hell of it.
    I have started customising my signature recently to make it a one-off signature everytime I sign it, so that if it comes back to me I can look for the one-off mark and contest it if it isn’t there. I am wondering if these hackers got any signatures or pins as that could be bad as people are likely to use these again.

  12. Benjamin Wright August 14, 2008 at 1:04 am #

    Careful reading of the indictments show that the media, card issuers and Federal Trade Commission over-reacted to the TJX incident. TJX was not as bad as we were led to believe. –Ben

  13. Brill August 14, 2008 at 2:58 pm #

    Very good point from Morgan Storey I assume that this company was PCI compliant…. So this would be an example of being compliance with current Laws and regulations doesn’t mean that you are secure at all (altough I agree that at least all those rules stablish a minimun).

  14. Morgan Storey August 15, 2008 at 4:54 am #

    correct Brill they establish a minimum that needs to be maintained, in this case it wasn’t and they got caught out. PCI responded by becomming more secure and strict.
    From this and other articles it is now saying they broke wep passwords and dumped in trojans and keyloggers to get the info, interesting how any company in this day and age doesn’t have a strict wireless policy. Good ones are wpa1(min) prefferable 2 with keyphrase longer than 12 characters, or none at all depending on location, ssid prefferably off, and policy set on laptops to only allow infrastructure mode.

  15. lyz August 15, 2008 at 10:56 am #

    Maybe coz’ some other people are not that knowledgeable technically speaking? Having a working internet connection is fine and enough for them. They don’t care about the pro’s and con’s. That’s why information dissemination is important.

    Or maybe it’s time to tell them to hire new IT/network staffs! :D lol

  16. Morgan Storey August 15, 2008 at 11:33 am #

    @lyz: again not buying it, a company like TJX has a cso, or at least someone in there security department. They need to wake up or as you put it they will be replaced with new staff.

  17. lyz August 15, 2008 at 11:46 am #

    Not talking about TJX here.. I meant companies that are not having those strict wireless policies.. :D

  18. Brill August 15, 2008 at 7:58 pm #

    About being PCI compliant, when I say that its a minimum what I am trying to say is that all Laws/regulations become obsolete by definition. Even if the security requirements of any law and/or specification change in response to any incidents… we all know that there are allways new security threats/holes appearing at very high speed (in fact that is a perfect example of why regulations become obsolete).
    They are necesary (as a minimum) but people should be aware that just because a company is PCI compliant or SOX compliant, etc. doesn’t mean that is also “SECURE”

  19. Morgan Storey August 16, 2008 at 7:22 am #

    @Brill: But proper compliances such as PCI and SOX require regular log reviews and and regular testing of security, of course this is like the whole no speeding, or no lieing, some people don’t some do… Just shows PCI and SOX needs more spot checking etc. It also needs to enforce security training and policies for IT staff.

    @lyz: cmon little companies only need either a IT guy that knows what he is doing, or out source it. I used to be a consultant, and I always warned customers on security issues, and locked down issues. WPA is easy to setup and if I came in and found an ap that wasn’t WPA compatible I would turn it off, warn them and geez get it replaced with a $100 ap that did.
    Even 1 person companies need to know about security issues, like they know they need insurance, accounting etc.

  20. lyz August 16, 2008 at 7:52 am #

    That’s why every company dealing with the online world needs a staff dedicated to securing the network, coz’ some other people doesn’t really care about this thing. And we know that it’s a fact. Am not against anything here…

  21. Morgan Storey August 16, 2008 at 10:18 am #

    @lyz: Correct, so do ones that aren’t dealing with the online world (can anyone say Scada) and thats why we will all have jobs till computers are no longer relevant, I don’t see that happening for a long, long time.

  22. lyz August 16, 2008 at 6:01 pm #

    lol, not telling that. just forgot to mention that a while back.

  23. zupakomputer August 18, 2008 at 11:00 am #

    What jobs?! None over here. Not even those kinds where you get trained (from your own web surfing I mean, as issues arise) as-you-earn.