by CIO Staff

Stolen TJX Customer Data Used in Crime Spree

Mar 21, 20074 mins
IT Leadership

Law enforcement officials in Florida have arrested six individuals suspected of carrying out a fraud scheme built around the misuse of credit card data stolen from retailer TJX Companies.

In partnership with the Gainesville Police Department, officials from the Florida Department of Law Enforcement said they have taken six of 10 suspects into custody for allegedly using the TJX customer data to purchase large quantities of gift cards from discount chains Wal-Mart and Sam’s Club.

The series of arrests marks the first specific instance of crime to be connected to the TJX data heist, although some banks have previously reported that accounts held by consumers affected by the incident had been used in attempted fraud around the globe.

Florida Department of Law Enforcement officials confirmed that they initially reported the crime ring to Framingham, Mass.-based TJX in November 2006. The retail chain began informing its customers about the data breach—blamed on a computer systems intrusion—in mid.-January 2007.

TJX media representatives didn’t immediately return a call seeking comment on the arrests.

The suspects were reported by Florida law enforcement officials to have been traveling throughout the state buying large quantities of Wal-Mart gift cards with the stolen credit card accounts, and then redeeming the cards at other locations. Among the items purchased by the scammers were computers, gaming devices and big-screen TVs.

Losses experienced by Wal-Mart and the banks issuing the credit cards total more than US$8 million, and are still being calculated, according to Florida officials. The suspects arrested were charged with organized scheme to defraud, a first-degree felony, and had their bonds set at $1 million each.

Arrested and booked in Metro-Dade County for the crime spree were Irving Escobar, age 18; Reinier Camaraza Alvarez, 27; Julio Oscar Alberti, 33; Dianelly Hernandez, 19; Nair Zuleima Alvarez, 40; and Zenia Mercedes Llorente, 23.

The Florida Department of Law Enforcement said it has also issued warrants for four other people believed to be involved in the scheme.

The time line established by the Florida arrests could help to shed light on the factors that pushed TJX—which operates a handful of North American and European retail chains including T.J. Maxx, Marshalls, HomeGoods and A.J. Wright—to inform the public of its data breach.

On Jan. 17, TJX first reported that a computer systems intrusion may have compromised the personal data of an undetermined number of its customers, with hackers able to make off with individuals’ credit card, debit card and check information, along with data related to merchandise return transactions.

While the company has refused to reveal how many customers may be affected by the incident, TJX officials have confirmed that a majority of the data involved is related to people who shopped at its stores in the United States, Canada and Puerto Rico during 2003, and between May and December 2006.

On Feb. 21, TJX announced that it had discovered a new set of IT systems intrusions that exposed the personally identifiable information of its customers. Company officials said that in addition to the IT systems break-ins it detailed in January, it now believes that intruders infiltrated its databases repeatedly during 2005.

Reports of crime connected to the TJX data theft first surfaced on Jan. 24, when the Massachusetts Bankers Association reported that several banks in the state had observed instances of fraud specifically related to the accounts of consumers involved in the TJX incident.

The industry group said at the time that it had received reports of criminal activity carried out via debit and credit card accounts exposed in the heist in locations including Florida, Georgia and Louisiana in the United States, as well as in Hong Kong and Sweden overseas.

When TJX first reported the incident in January, company officials said they had become aware of the data theft in late 2006 but waited to begin informing customers of the breach in deference to ongoing law enforcement investigations, including those being carried out by the U.S. Department of Justice and U.S. Secret Service.

The Massachusetts Bankers Association, among others, publicly criticized the company for not moving to disclose the incident faster.

Over the past two years, more than 30 U.S. states have adopted new laws that establish more rigid guidelines for the reporting of consumer data exposure. A bill under consideration in Massachusetts would require organizations to inform consumers within five business days after a breach affecting their data is detected.

-Matt Hines, InfoWorld