Federal investigators have charged 11 people in connection with a retail hacking ring that stole and sold more than 41 million credit and debit card numbers from OfficeMax, Barnes & Nobles and other major retailers, the Justice Department reported this week.
According to a grand jury indictment returned Tuesday in Boston, the group hacked into the wireless computer networks of large retail outlets to retrieve payment data from millions of customers, including their passwords and account information.
The stolen data was then stored on encrypted servers in the United States and Eastern Europe and sold over the Internet, investigators say. It was also encoded on blank cards, which were used to withdraw tens of thousands of dollars from ATMs, they say.
The group, which includes U.S. citizens and foreign nationals from Estonia, Ukraine, and China, is being charged with conspiracy, computer intrusion, fraud, and identity theft, among other charges.
At a press briefing, Attorney General Michael Mukasey called the scheme the "single largest and most complex identity theft case ever charged in this country." He said the total dollar value of the theft was impossible to quantify, and that investigators have yet to identify all the victims.
"Where criminals are able to breach computer systems, as alleged here, they have enormous ability to cause harm," Mukasey said. "The annual costs to American citizens and businesses are in the billions."
Retailers say they're often required to store customer data for up to a year to satisfy card company retrieval requests, making them vulnerable to hackers. In a letter to the Payment Card Security Standards Council last year, the National Retail Federation urged credit card officials to give store owners the option of retaining paper receipts, rather than electronic data.