TJX Credit Card Theft Crew Busted

The world’s greatest bank thief is in custody. For ripping off over 45.7 million consumer’s credit cards from TJ Maxx, and other retailers, authorities pressed charges on Miami mastermind Albert Gonzalez and 11 others. The stolen numbers were sold to other scammers who manufactured fake debit cards and drained their victims’ accounts. The breach stemmed mainly from TJ Maxx stores using an unsecured wireless router.

U.S. charges 11 in theft of TJX customer data [Forbes]


Edit Your Comment

  1. Evil_Otto would rather pay taxes than make someone else rich says:

    Personally, I can’t believe TJX is still in business after that debacle. Their stock actually went UP the quarter after this happened.

    People are dumb.

  2. GavinEstecado says:

    Wow, I’m surprised it took this long. I thought they would have caught them early on or never at all by this point…

  3. R3PUBLIC0N says:

    Anyone else find it entertaining that someone named Albert Gonzales will likely deny all knowledge of wrongdoing in court?

  4. bologna_wallet says:

    It’s about time they busted Gonzo

  5. floraposte says:

    @R3PUBLIC0N: Or at least claim that he has no recollection of any. If I were him I’d do it just for the laugh, as he probably won’t get many in the future.

  6. Diet-Orange-Soda says:

    How do you only steal “tens of thousands” from “45.7 million consumer’s credit cards”?

  7. Nakko says:

    So now it’s safe to shop there again!


  8. whatdoyoucare says:

    So now we have to worry about unsecured wireless routers? Are we now supposed to ask at the stores we shop in if they have secured wireless routers before we buy anything? How depressing. Sigh.

  9. theblackdog says:

    @Diet-Orange-Soda: I think it’s a misquote in the summary. The full quote in the article reads

    They then sold the information to people in the United States and Europe, who used it to withdraw tens of thousands of dollars at a time from automated teller machines, authorities said.

  10. It looks like so far all they have caught is the Gonzales guy. I don’t see where they have apprehended the others. Extradition from some of those other countries could be tricky.

  11. howie_in_az says:

    “This case clearly shows how strokes on a keyboard with a criminal purpose can have costly results,” Michael Sullivan, U.S. Attorney in Boston, said in a statement. “Consumers, companies and governments from around the world must further develop ways to protect our sensitive personal and business information.”

    Yeah, how about not storing my personal data at all? Or at the very least, don’t store my credit/debit card information after a transaction has completed.

  12. INsano says:

    Yeah, and let’s put “Pay Pass” RFID chips on credit and debit cards so that those can be compromised as well!

    I can’t believe stores are allowed to keep that information. That should be a policy no-brainer.

  13. Wormfather is Wormfather says:

    @Evil_Otto: Technically, their liablity was minimal at the time this happened, so was the victims. Standards have impoved though.

  14. zarex42 says:

    First, this group certainly wasn’t the “greatest bank thief”, because they got caught. Duh.

    In most cases, this information is required by the CC companies to be stored, mostly for refund processing. It’s not bad that they stored it, it’s bad that they had poor security.

  15. Wormfather is Wormfather says:

    @howie_in_az: Unfortunatly the retail company will need to keep that information until settlement, which happens on a daily/weekly/monthly basis. After that, as of about 8 months ago, it is iligal to store that information.

  16. @IamNotToddDavis: As long as we promise not to send them to the electric chair, most countries don’t mine sending us their criminals.

  17. drjayphd says:

    @R3PUBLIC0N: I’d figured he had just gone back to his job selling pools in Tulsa.

  18. mac-phisto says:

    @zarex42: that’s not true at all. each transaction has a transaction # – this is really all that CC companies require the merchant to store for any purpose (aside from a signed receipt).

  19. bohemian says:

    I worked with a project dealing with the data end of this for a retailer many moons ago. Mac-phisto is right, they only need to store the trans number. The idea of not hanging onto customer data is not a new concept.

  20. DrGirlfriend says:

    @R3PUBLIC0N: I imagine the trial going something like this:

    Judge: Mr. Gonzales, you are accused of being a bank thief. How do you plead?

    Albert Gonzales: I plead I Don’t Recall, Your Honor.

    Judge: Fair enough. Case dismissed.

  21. Corydon says:

    @DrGirlfriend: I came here for the Alberto Gonzales jokes and did not leave disappointed.

  22. Rectilinear Propagation says:

    @theblackdog: Awww, I wanted it to be because people were checking their statements and canceling their cards the second something funny showed up.

    @Evil_Otto: Yeah, I don’t understand why this didn’t freak out stockholders, especially considering how much TJX paid out to settle complaints.

    He faces life in prison if convicted of all charges.


  23. DrGirlfriend says:

    @Corydon: Glad to be of service.

  24. RabbitDinner says:

    YES! Federal pound-me-in-the-ass prison!

    I hear the trick is: kick someone’s ass the first day, or become someone’s bitch

  25. Inglix_the_Mad says:

    @Wormfather is Wormfather: Unfortunatly the retail company will need to keep that information until settlement, which happens on a daily/weekly/monthly basis. After that, as of about 8 months ago, it is iligal to store that information.

    Umm, how about NO. The only thing you need is the last 4 digits and and the approval number & electronic sig (though the sig isn’t required for batch). If you’re getting hand signed receipts then you’d need to keep those for 90 days, but even those should just be the last 4 digits / exp / sig as well.

    Been that way for quite a long time, more than a couple years…

  26. crackblind says:

    @RabbitDinner: Just rewatched that last night.

  27. Parapraxis says:


    I knew that guy was up to no good ever since he became attorney general…

  28. RabbitDinner says:

    @crackblind: Funny movie. Too bad Mike Judge hasn’t had more mainstream success, I’d really like to see more from him. I still hate him for leaving Beavis and Butthead to make King of the Hill though

  29. Yurei says:

    Thanks for the heads up, Consumerist. I passed this along to my mother who shops at a few of the affected stores, and it turns out the bank just shut off her debit card unexpectedly- maybe in relation to this? Who can say for sure. :/

  30. dakker says:

    Yep just to confirm, in fact CC companies are pushing towards change of not holding cc information, the thieves prolly grabbed the information while the transactions were happening(aka through fake pos scanners) like []

  31. zarex42 says:


    It is true. Our work’s processor, for one, requires it, and scolded us for not having the info. Maybe not all do.

  32. dakker says:

    seems big media is picking up the story too, heres a report on it from the BBC []

  33. FrankReality says:

    Hooray for the good guys! Federal charges, baybeeee!

  34. malcs says:

    Tacky Maxx

    they’re useless!

  35. mac-phisto says:

    @zarex42: what exactly are you storing? in order to be compliant with PCI DSS, at most you should be retaining name, account #, expiration date, authorization # & nothing else.

    if you processor is requiring you to retain more (stripe data or CVV2/CVC track data), they are opening you up to a whole can of whoopass. nevermind a few pissed off customers – network fines related to non-compliance are astronomical. i would recommend shopping around or voicing your disapproval with the processor & possibly the networks. this is a hot topic with the networks right now – the security of their network, which is the foundation of the entire system is at risk.

    & just as i’m writing this, i see this story pop up on my rss ticker –> []


  36. dweebster says:

    @DrGirlfriend: …and here’s a nice consulting job at this thinktank/lobbying firm/law firm/etc., sir.