One Guilty Plea In TJX Data Breach Case, As More Victims Emerge
Written by Evan SchumanAs one of the 11 defendants in the federal data breach charges involving TJX and others pleaded guilty Thursday (Sept. 11), federal officials confirmed that there are quite a few other victims of the breach that have yet to be publicly identified.
The retailers identified publically are TJX, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.
It’s already known that one of the unidentified chains (which is one of the nation’s largest retailers) was the first to detect the cyberthieves.
In a filing on Thursday, U.S. Attorney Michael Sullivan told U.S. District Court Judge William G. Young that "There is forensic and/or testimonial evidence that the defendant and his co-conspirators hacked into numerous other businesses, which have not yet been publicly identified." The filing did not specify how many of those businesses are retailers.
The filing added that "hundreds of banks were victimized and potentially victimized as stolen credit card information was fraudulently used. As of this juncture, the government has not identified that list of banking institutions by name."
The defendant who pled guilty is Damon Patrick Toey, 23, of Miami. He agreed to accusations of wire fraud, credit card fraud and aggravated identity theft. He was said to have aided Albert Gonzalez in running the crime ring. Gonzalez pleaded not guilty the same day.
According to a Boston Globe story, when Young asked him why he was pleading guilty, Toey said that federal prosecutors "have enough, other than what I’m pleading guilty to," on him, "that would make it a lot worse, in my opinion."
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
