TJX data theft leads to money-laundering scam

USA TODAY
June 12, 2007

By Jon Swartz and Byron Acohido, USA TODAY

Find the original copy of this article here:

JACKSONVILLE – Last fall, 19-year-old Irving Escobar crisscrossed northern and central Florida using counterfeit credit cards to buy stacks of $400 gift cards from Wal-Mart stores, cashing them in to buy TVs, PCs and jewelry from Wal-Mart subsidiary Sam’s Clubs in south Florida.

The scam was easy money: Escobar and several Miami-based accomplices traveled in rental cars to the state’s Wal-Mart stores, according to a criminal complaint by the Florida Department of Law Enforcement.

With credit cards supplied by an unnamed recruiter, they bought gift cards in $400 increments – just below the $500 limit that requires a manager’s approval. At one store, they hauled out 60 $400 gift cards.

Back in Miami, they went on extravagant shopping sprees. In one, Escobar purchased $112,000 in goods with gift cards. Authorities estimate the group acquired $1 million in goods.

Escobar stashed some of the booty at the home he shared with his mother, who was arrested and charged. He returned some merchandise for cash refunds, and he probably sold some of the gift cards, according to Florida law-enforcement officials.

“It was modern-day money laundering,” says Amy Osteryoung, an assistant statewide prosecutor who handled the case for Florida Attorney General Bill McCollum.

But this was no ordinary scam. It was part of a sophisticated operation that started with the theft of credit card data on 45.7 million customers of TJX – parent company (TJX) of retailers T.J. Maxx and Marshalls. Investigators believe it is the boldest tangible evidence of criminals cashing in on hacked data from TJX – the nation’s largest reported computer data breach, which TJX disclosed in January.

More than 500 incidents, including TJX, have been reported of records compromised for millions of individuals since 2005, according to the Privacy Rights Clearinghouse.

What’s more, the Florida scam took advantage of burgeoning markets for counterfeit credit cards and authentic gift cards – and it could be easily repeated anywhere. “Who’s to say this scam wasn’t happening in other states, with other retailers?” says Brian Riley, senior bank card analyst at TowerGroup.

Escobar, whom investigators believed to be the ring leader in Miami, and five others were arrested in March. They have pleaded guilty to an organized scheme to defraud and await sentencing. Another person was later arrested. Three other suspects remain at large. Whoever hired Escobar and supplied him with fake credit cards – produced with small, card-swiping devices available on the Internet – also remains at large.

Indeed, what happened in Florida bears the hallmarks of organized crime, offering a glimpse into how crooks convert mountains of stolen financial data into cash, says Martin Carmichael, chief security officer at tech security giant McAfee.

“There are structures in place on the Internet and elsewhere to distribute data, repackage it (in the form of fake credit cards) and use the reconstituted data to buy goods,” Carmichael says.

John Pironti, a computer-security expert who consults financial institutions, says those arrested in the Wal-Mart scam were merely the last link in a long chain of criminals. “The hackers are 10 ways removed from this,” he said.

Irving’s excellent adventure

What Escobar and his group pulled off didn’t require as much skill as moxie. Armed with $400 gift cards – bought with the credit card account information of California residents – Escobar and crew shopped during the hectic holiday season. To expedite things, Escobar posed as the owner of an import/export business and befriended female employees, investigators say.

At a Wal-Mart in Jacksonville on Oct. 28, Escobar and Erick Rodriguez, 30, used four stolen credit cards to purchase $41,200 worth of gift cards, according to the criminal complaint.

On Nov. 1, Escobar, Rodriguez and Alexis Arcia, 34, purchased $42,000 in gift cards from two Wal-Marts in Gainesville, Fla. The three fanned out at the cavernous stores, making purchases at more than 30 checkout stations in different departments, the complaint said.

A week later, Bank of America informed a startled Marsha Carney that her Visa card number was used to purchase the gift cards in 60 separate transactions at Gainesville Wal-Mart store No. 1081. The crooks celebrated their haul with a $290 tab at the Stonewood Grill & Tavern, also in Gainesville, according to Carney’s credit card statement.

“I was shocked. I would never have believed that they could amass such an amount,” says Carney, a 65-year-old retiree in Oceanside, Calif., who says she has shopped at Marshalls but never at Wal-Mart.

Earlier the same day, the credit card number of Thomas Fermin, a biomedical engineer in Victorville, Calif., was used to illegally buy $18,000 in gift cards from another Wal-Mart in Gainesville. “I did not lose the card, but someone charged thousands of dollars to it,” says Fermin, 55, whose Visa card was issued by Bank of America.

For the most part, consumers haven’t been held liable for fraudulent TJX charges. Credit card customers are usually liable for only the first $50 in bogus charges, anyway. Debit card holders can be held liable for unauthorized purchases if they don’t report them within 60 days.

Neither Visa nor Bank of America comment on specific cases. Each say they provide strong monitoring programs that balance customer convenience and fraud risk. Visa does not publicly disclose fraud rates for counterfeit credit cards.

About one-third of all credit card fraud in the USA involves the use of counterfeit credit cards, says TowerGroup’s Riley.

On Nov. 1, the whirlwind activity of Escobar and Co. – who went from checkout line to checkout line, buying gift cards – caught the eye of a Wal-Mart employee, who contacted the store’s loss-prevention officers. They trailed the suspects to the parking lot, where the license plate of a rented car – a white Jeep Commander – was traced to Escobar, the complaint said.

Police and Wal-Mart security officers pieced together the group’s movements by poring over store surveillance video, credit card receipts and interviews with store employees.

Escobar’s attorney, Marie Verde, declined comment.

TJX hack

Escobar’s road trip would not have been possible if TJX customer data had stayed where they belonged.

TJX has not disclosed precise technical details of how the breach occurred. Company officials say hackers may have pilfered bank card data as customers making purchases waited for their transactions to be approved. TJX transmitted the data to banks “without encryption,” it acknowledged in an SEC filing, a violation of credit card company guidelines.

The stolen TJX data could have been sold on websites where stolen identity data are readily available, Pironti says. Or the criminals responsible for the breach could have used the information themselves or sold it to groups that specialize in manufacturing fake credit cards, Gartner banking security analyst Avivah Litan and others say.

The fake cards supplied to Escobar’s group “were extremely polished cards,” says Keith Kameg, a spokesman for the Gainesville Police Department.

The bogus credit cards had embossed names on the front that did not match the true account holder’s data embedded on the magnetic stripe on the back of the card, according to documents from the Florida Department of Law Enforcement. The account data on the magnetic stripe traced back to records for victimized TJX customers.

In April, the U.S. Secret Service got a small step closer to the counterfeiters. Agents set up a sting that resulted in the arrest of Florida-based Miguel Bruguera, 20, who traveled with more than a dozen counterfeiting devices. Agents caught him in the act of supplying the Escobar group with fake cards, according to a criminal complaint filed with the U.S. District Court in Orlando.

Bruguera was unaware of the March arrests in Miami and had no inkling one of Escobar’s ring had agreed to become a federal informant. So Bruguera agreed to an April 17 meeting at the Embassy Suites hotel in Orlando, says the complaint, which does not name the informant.

The informant, wearing a hidden recording device, entered the hotel room and found Bruguera in the process of using a small plastic device to capture and imbed magnetic stripe data on 40 fake cards with stolen account data that was being relayed over the phone by someone named Frank.

According to the complaint, Bruguera then drove his white Cadillac Escalade to a Wal-Mart in Orlando, where Secret Service agents tailed him and the informant. The two bought gift cards with the freshly minted credit cards and returned to the hotel, where cops nabbed Bruguera. From Bruguera’s Escalade, agents confiscated two small black plastic devices about half the size of a pack of cigarettes. Each mini black box had enough internal memory to store magnetic stripe data for 1,000 payment cards.

The Secret Service, which has assigned agents in Miami and Orlando to examine the Florida group, according to criminal complaints, had no comment.

More crimes to come?

Wal-Mart declined to discuss the ongoing investigation. Company spokesman John Simley says it isn’t unusual for Sam’s Club patrons to spend thousands of dollars per visit.

“Visa authorizes a bazillion Wal-Mart transactions a day,” says Paul Moriarty, director of product development for Internet content security at Trend Micro. “What the crooks did, especially during the holidays, was not unusual.”

That notion has many security experts – Moriarty included – concerned that stolen TJX data were exploited at other retailers in other states. “We believe many retail establishments could have been similarly victimized,” TJX Vice Chairman Donald Campbell said in a May 4 letter to The Wall Street Journal.

The Massachusetts attorney general’s office is leading an investigation among more than 30 states, including Connecticut and Rhode Island, to determine if TJX’s systems were secure. TJX faces potential fines and restitution payments, Massachusetts officials say.

Framingham, Mass.-based TJX says it has undertaken a “thorough, painstaking investigation of the breach.” It hired 50 people at two leading data-security firms in December, before it disclosed the breach. It has also taken a charge of $17 million in its last two fiscal quarters for costs related to the breach.

TJX says it will pay for a credit-monitoring service to help avert identity theft for customers whose driver’s license numbers were the same as their Social Security numbers and were believed stolen.

Its losses could mount under a flood of litigation, security experts say. Federal lawsuits in five states have been filed against TJX since late March, TJX said in an SEC filing last week. TJX also faces litigation in Massachusetts, California, Alabama, Puerto Rico and Canada. “Those are just the first drops in the ocean,” Moriarty says.

Swartz reported from Jacksonville; Acohido reported from Seattle.