Forty-one million credit and debit card numbers were stolen and then resold by people who, prosecutors say, hacked into the computers of several retailers.
The information was taken from stores and restaurants that include Office Max, Sports Authority, Boston Market, TJ Maxx, Marshall's and DSW.
Authorities say it could be some time before they know who all of the victims are. Many consumers are wondering what can be done to protect themselves from identity theft.
Protecting yourself does require you to do a bit of work. Local experts say the good news is, if it was your credit card that was compromised, most likely you won't be liable for fraudulent charges. But if it's your ATM or debit card and you don't report it right away, you may be stuck with it.
More than 40 million credit and debit card numbers were stolen. The eleven suspects arrested are from the U.S., Eastern Europe and China.
And many people are finding out Wednesday they are victims.
"This is the single largest and most complex identity theft case that's ever been charged in this country," said Michael Sullivan, U.S. attorney.
Hackers targeted major retailers, including Barnes and Noble, Discount Shoe Warehouse and others, breaking into their wireless networks.
The hackers then sold some of the credit card information and created duplicate cards. With those, they stole tens of thousands of dollars at a time at ATMs, totaling losses estimated in the hundreds of millions.
Steve Bernas of the Better Business Bureau of Chicago says many panicked consumers have been calling.
So what should you do?
First, report any suspected fraud immediately.
If it's your credit card that's been compromised, your maximum liability under federal law for fraud is $50, Bernas says, no matter how long it takes you to report it.
But if it's your debit or ATM card, you have two days to report the loss, or you could be stuck on the hook.
"So you need to notify right away and check your records as well," said Bernas. "If it's two or three months down the road, you may be liable for the full amount that was taken out of your own checking or savings account using your ATM card or debit cards."
Also, Bernas says, check your bank and credit card statements frequently. And get your credit report. By law, it's free once a year by going to annualcreditreport.com.
"The most important thing consumers should do is get your credit report on an annual basis. It's free of charge and that's a good way to determine if you've been the victim of identity theft," said Bernas.
Bernas says another major scam to watch out for is phishing. That's when you'll receive an e-mail that looks like it's from a bank, and they're asking you to provide information such as your Social Security number or account number. You should never respond to those, Bernas says. No legitimate bank ever sends out those kinds of requests.
Eleven people, including a U.S. Secret Service informant, have been charged in connection with data breaches at nine major retailers, the Justice Department announced Tuesday. Three of those charged are U.S. citizens while the others are from places such as Estonia, Ukraine, Belarus and China.
The indictment returned Tuesday by a federal grand jury in Boston alleges that the suspects hacked retailers including BJ's Wholesale Club and Forever 21.
"They used sophisticated computer hacking techniques that would allow them to breach security systems and install programs that gathered enormous quantities of personal financial data, which they then allegedly either sold to others or used themselves," Attorney General Michael Mukasey said at a news conference. "And in total, they caused widespread losses by banks, retailers, and consumers."
Mukasey called the total dollar amount of the alleged theft "impossible to quantify at this point." U.S. Attorney Michael J. Sullivan said that while most of the victims were in the United States, officials still haven't identified all the people who had a card number stolen.
"I suspect that a lot of people are unaware that their identifying information has been compromised," he said.
Sullivan said the alleged thieves weren't computer geniuses, just opportunists who used a technique called "wardriving," which involved cruising through different areas with a laptop and looking for accessible wireless Internet signals. Once they located a vulnerable network, they installed so-called "sniffer programs" that captured credit and debit card numbers as they moved through a retailer's processing networks.
The information was stored on two servers in Ukraine and Latvia -- one with more than 25 million credit and debit card numbers and another with more than 16 million numbers, Sullivan said.
The heist was a black eye for retailers like TJX. The company initially disclosed the data breach in January 2007 but said a few months later that at least 45.7 million cards were exposed to possible fraud in a breach of its computer systems that began in July 2005. Court filings by some banks that sued TJX put the number of cards affected at more than 100 million, based on estimates by officials with Visa and MasterCard, who were deposed in the suit.
In May, TJX said it won support from MasterCard-issuing banks for a settlement that will pay them as much as $24 million to cover costs from the breach. A similar agreement reached last November with Visa-card issuing banks set aside as much as $40.9 million to help banks cover costs including replacing customers' payment cards and covering fraudulent charges.
According to the indictments unsealed Tuesday, three of the defendants are U.S. citizens, one is from Estonia, three are from Ukraine, two are from China and one is from Belarus. One individual is known only by an alias online, and his place of origin is unknown.
At a press briefing in San Jose, Calif., Homeland Security Secretary Michael Chertoff said the non-U.S. citizens under indictment were part of an international stolen credit and debit card ring.
The ring operated in mainly in Eastern Europe, the Phillipines, China and Thailand, and the alleged foreign conspirators remained outside the U.S., Chertoff said.
The thefts were criminal actions committed for the personal gain of the defendants, who investigators did not consider a national security threat, Chertoff said.
Still, he said, their alleged crimes demonstrated the weaknesses of cybersecurity in the U.S.
"Today's indictments are a reminder of a growing threat that every American faces in the 21st century -- the fact that each individual's greatest asset is their names, their identity," Chertoff said.
In the Boston indictment, the alleged ringleader Albert "Segvec" Gonzalez of Miami was charged with computer fraud, wire fraud, access device fraud, aggravated identity theft and conspiracy. Gonzalez, who is in custody in New York, faces a maximum penalty of life in prison if he is convicted of all the charges.
Gonzalez was a U.S. Secret Service informant who helped the agency take over a Web site being used to transmit stolen identifiers and stolen credit card numbers, U.S. Secret Service Director Mark Sullivan said at the news conference.
"That was the first time ever that a computer system was wiretapped," he said.
But he said the Secret Service later found out that Gonzalez had also been feeding criminals information about ongoing investigations -- even warning off at least one person.
"Obviously, we weren't happy that a person working for us as an informant was double-dealing," Mark Sullivan said.
Indictments were also unsealed Tuesday in San Diego against Maksym "Maksik" Yastremskiy of Kharkov, Ukraine, and Aleksandr "Jonny Hell" Suvorov of Sillamae, Estonia. They are charged with crimes related to the sale of the stolen credit card data.
Yastremskiy was arrested when he traveled to Turkey on vacation in July 2007. He is facing related Turkish charges, and U.S. officials said they have requested his extradition.
Justice Department officials said Suvorov was arrested on the San Diego charges by German officials in March when he traveled there on vacation. He is in custody awaiting the resolution of extradition proceedings.
Indictments against Hung-Ming Chiu and Zhi Zhi Wang, both of China, and a person known only by the online nickname "Delpiero" were also unsealed in San Diego.
A Justice Department spokeswoman said those three suspects, together with five others, are still at large. Officials did not give an arraignment date for Gonzalez.
In May, federal prosecutors in New York indicted Yastremskiy, Suvorov and Gonzalez on 27 counts of fraud and identity theft. The charges stemmed from allegations that they hacked into a national restaurant chain's computerized cash registers and stole credit card information from customers. Eleven Dave & Buster's restaurants around the United States suffered at least $600,000 in losses, prosecutors said.
It was not immediately possible to reach Yastremskiy, Suvorov and Gonzalez for comment and it was not clear if they have legal representation.
The Associated Press contributed to this report.
