Eleven people have been charged in connection with a massive credit card data theft that affected multiple retailers, including TJX Cos., BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes and Noble, Sports Authority, Forever 21 and DSW.
The data breaches, accomplished through the hacking of retailers’ wireless Internet connections, resulted in the theft and sale of more than 41 million credit and debit card numbers. Officials have not yet identified all the alleged theft victims, and the total dollar amount of the theft has not been ascertained. Many of the individual retailers affected are still estimating the extent of the breach as well; TJX, for example, has said that at least 45.7 million cards in its computer system were exposed to possible fraud, though some of the banks suing the retailer put the number closer to 100 million.
“Although the indictment states that several retailers were targeted, it does not provide specifics about Barnes & Noble and does not list customer names,” reads a statement from Mary Ellen Keating, a spokesperson for Barnes and Noble Inc. “Barnes & Noble takes the privacy and security of the personal information of our customers very seriously, and we are reviewing this matter carefully. We regularly assess and enhance our security measures and want to assure our customers that it is safe to shop at Barnes & Noble.”
Attorney General Michael B. Mukasey, speaking at the Identity Theft Press Conference, said the case — the largest and most complex identity theft case ever charged in the US — exemplified consumers’ growing vulnerability to identity theft.
“Even as [computer networks and the Internet] provide extraordinary opportunities for legitimate commerce and communication, they also provide extraordinary opportunities for criminals,” he said. “Where criminals are able to breach computer security systems, as alleged here, they have enormous ability to cause harm.”
Mukasey also noted that the prosecution and punishment of identity thieves is a crucial factor in combating future breaches. Charges against the eleven perpetrators in this case include conspiracy, computer intrusion, fraud and identity theft. Albert Gonzalez of Miami, who was named as the ringleader of the group, faces the possibility of life in prison.
“Criminal prosecution is an essential component to attack identity theft,” agrees Betsy Broder, assistant director for the FTC’s division of privacy and identity protection. “But we think civil enforcement is also important. It’s not efficient to just go against the bad guys because there are also companies that have failed to take reasonable steps to safeguard data and understand their obligations.”
The FTC has previously brought actions against three of the hacked companies — DSW, TJX and BJ’s — for failing to implement safeguards for consumer information.
“The commission’s approach is not that every company has to safeguard against every conceivable risk, but when there are risks that are well-known and easily accessible, it’s incumbent upon companies to take steps to safeguard information and prevent consumers from being harmed.”