The world’s greatest bank thief is in custody. For ripping off over 45.7 million consumer’s credit cards from TJ Maxx, and other retailers, authorities pressed charges on Miami mastermind Albert Gonzalez and 11 others. The stolen numbers were sold to other scammers who manufactured fake debit cards and drained their victims’ accounts. The breach stemmed mainly from TJ Maxx stores using an unsecured wireless router.
U.S. charges 11 in theft of TJX customer data [Forbes]
More From Consumerist
-
Target, Macy’s Reject Fee-Fixing Settlement With Credit Card Companies & File Fresh Lawsuit
-
Paying The Bartender With The Credit Card You Just Stole From Him Will Get You No Beer
-
Stealing A Credit Card To Get A Nose Job Might Work If The Doctor Doesn’t Take Pictures
-
ID Theft Not Just Fodder For Wacky Comedies, Also Tops FTC’s List Of Most Complained-About Issues Of 2012
-
How Complaints At A Restaurant In Seattle Led To Arrest Of Alleged Credit Card Hacker In Romania
Personally, I can’t believe TJX is still in business after that debacle. Their stock actually went UP the quarter after this happened.
People are dumb.
Wow, I’m surprised it took this long. I thought they would have caught them early on or never at all by this point…
Anyone else find it entertaining that someone named Albert Gonzales will likely deny all knowledge of wrongdoing in court?
It’s about time they busted Gonzo
@R3PUBLIC0N: Or at least claim that he has no recollection of any. If I were him I’d do it just for the laugh, as he probably won’t get many in the future.
How do you only steal “tens of thousands” from “45.7 million consumer’s credit cards”?
So now it’s safe to shop there again!
…Not.
So now we have to worry about unsecured wireless routers? Are we now supposed to ask at the stores we shop in if they have secured wireless routers before we buy anything? How depressing. Sigh.
@Diet-Orange-Soda: I think it’s a misquote in the summary. The full quote in the article reads
It looks like so far all they have caught is the Gonzales guy. I don’t see where they have apprehended the others. Extradition from some of those other countries could be tricky.
Yeah, how about not storing my personal data at all? Or at the very least, don’t store my credit/debit card information after a transaction has completed.
Yeah, and let’s put “Pay Pass” RFID chips on credit and debit cards so that those can be compromised as well!
I can’t believe stores are allowed to keep that information. That should be a policy no-brainer.
@Evil_Otto: Technically, their liablity was minimal at the time this happened, so was the victims. Standards have impoved though.
First, this group certainly wasn’t the “greatest bank thief”, because they got caught. Duh.
@howie_in_az:
In most cases, this information is required by the CC companies to be stored, mostly for refund processing. It’s not bad that they stored it, it’s bad that they had poor security.
@howie_in_az: Unfortunatly the retail company will need to keep that information until settlement, which happens on a daily/weekly/monthly basis. After that, as of about 8 months ago, it is iligal to store that information.
@IamNotToddDavis: As long as we promise not to send them to the electric chair, most countries don’t mine sending us their criminals.
@R3PUBLIC0N: I’d figured he had just gone back to his job selling pools in Tulsa.
@zarex42: that’s not true at all. each transaction has a transaction # – this is really all that CC companies require the merchant to store for any purpose (aside from a signed receipt).
I worked with a project dealing with the data end of this for a retailer many moons ago. Mac-phisto is right, they only need to store the trans number. The idea of not hanging onto customer data is not a new concept.
@R3PUBLIC0N: I imagine the trial going something like this:
Judge: Mr. Gonzales, you are accused of being a bank thief. How do you plead?
Albert Gonzales: I plead I Don’t Recall, Your Honor.
Judge: Fair enough. Case dismissed.
@DrGirlfriend: I came here for the Alberto Gonzales jokes and did not leave disappointed.
@theblackdog: Awww, I wanted it to be because people were checking their statements and canceling their cards the second something funny showed up.
@Evil_Otto: Yeah, I don’t understand why this didn’t freak out stockholders, especially considering how much TJX paid out to settle complaints.
Wow.
@Corydon: Glad to be of service.
YES! Federal pound-me-in-the-ass prison!
I hear the trick is: kick someone’s ass the first day, or become someone’s bitch
@Wormfather is Wormfather: Unfortunatly the retail company will need to keep that information until settlement, which happens on a daily/weekly/monthly basis. After that, as of about 8 months ago, it is iligal to store that information.
Umm, how about NO. The only thing you need is the last 4 digits and and the approval number & electronic sig (though the sig isn’t required for batch). If you’re getting hand signed receipts then you’d need to keep those for 90 days, but even those should just be the last 4 digits / exp / sig as well.
Been that way for quite a long time, more than a couple years…
@RabbitDinner: Just rewatched that last night.
@R3PUBLIC0N:
I knew that guy was up to no good ever since he became attorney general…
@crackblind: Funny movie. Too bad Mike Judge hasn’t had more mainstream success, I’d really like to see more from him. I still hate him for leaving Beavis and Butthead to make King of the Hill though
Thanks for the heads up, Consumerist. I passed this along to my mother who shops at a few of the affected stores, and it turns out the bank just shut off her debit card unexpectedly- maybe in relation to this? Who can say for sure. :/
Yep just to confirm, in fact CC companies are pushing towards change of not holding cc information, the thieves prolly grabbed the information while the transactions were happening(aka through fake pos scanners) like [consumerist.com]
@mac-phisto:
It is true. Our work’s processor, for one, requires it, and scolded us for not having the info. Maybe not all do.
seems big media is picking up the story too, heres a report on it from the BBC [www.bbc.co.uk]
Hooray for the good guys! Federal charges, baybeeee!
Tacky Maxx
they’re useless!
@zarex42: what exactly are you storing? in order to be compliant with PCI DSS, at most you should be retaining name, account #, expiration date, authorization # & nothing else.
if you processor is requiring you to retain more (stripe data or CVV2/CVC track data), they are opening you up to a whole can of whoopass. nevermind a few pissed off customers – network fines related to non-compliance are astronomical. i would recommend shopping around or voicing your disapproval with the processor & possibly the networks. this is a hot topic with the networks right now – the security of their network, which is the foundation of the entire system is at risk.
& just as i’m writing this, i see this story pop up on my rss ticker –> [news.bbc.co.uk]
*chuckle*
@DrGirlfriend: …and here’s a nice consulting job at this thinktank/lobbying firm/law firm/etc., sir.