A New York man has been charged with providing co-conspirators with a 'sniffer' program for capturing payment card data as it travelled across corporate networks, apparently the latest person to be indicted in connection with data breaches at TJX Companies and other major retailers.
Stephen Watt, 25, of New York, was charged in US District Court in Boston on Oct. 29 with unlawful access to computers, wire fraud, aggravated identity theft and money laundering.
The indictment makes no direct mention of Watt's role in a series of breaches at major retailers such as TJX, BJ's Wholesale Club, DSW, OfficeMax, Boston market, Barnes and Noble, Sports Authority and Forever 21. But it names Albert Gonzalez as one of the individuals Watt supplied the sniffer programs to; Gonzalez has been indicted for his role as the alleged ring leader of the gang responsible for the retail break-ins. He has pleaded innocent to the charges.
A spokeswoman for the US Attorney's office in Massachusetts Tuesday said declined to comment on whether Watt's indictment is related to the retail breaches since it is not mentioned in the indictment.
Gonzalez was one of 11 people indicted in August in a massive identity theft and computer fraud scheme involving some of the largest data breaches in recent US history. Gonzalez and his gang are accused of breaking into numerous retail networks and stealing payment card data - including data on nearly 44 million cards from TJX alone - over a five-year period starting from 2003. TJX is the parent company of UK retailer TK Maxx.
The thefts relied on vulnerabilities in the wireless networks used at retail store locations: Gonzalez and others would go "war-driving" in commercial areas of Miami looking for vulnerable retail networks. Once they broke into a network, they would locate and steal "Track 2" data from the magnetic stripe on the back of payment cards, as well as PIN-block data associated with debit cards. The gang is alleged to have maintained servers in the US, Latvia and Ukraine that were used to store tens of millions of stolen credit and debit card numbers.
So far, two of the indicted individuals have pleaded guilty to charges in the case. In September, Damon Patrick Toey pleaded guilty to four felony counts, including wire and credit card fraud and aggravated identity theft. He is scheduled to be sentenced on 10 Dec. in US District Court in Boston, and faces a maximum prison term of five years and a fine of US$250,000 on each of the counts.
That same month, Christopher Scott, 25, of Miami become the second man to plead in the case. He faces a maximum of 22 years in prison and a $1 million fine. Scott also will forfeit the $400,000 or so that he made in profits from the payment card thefts.
Court documents filed in connection with Watt's indictment, meanwhile, said he was part of a criminal gang that between 2003 and 2008 broke into several corporate networks to steal payment card information and use or sell that information to others. The stolen funds were funnelled through Internet currency exchanges and bank accounts in Latvia to conceal the source, ownership and control of the money.
Watt allegedly provided a sniffer program that allowed Gonzalez and other gang members to identify and capture credit and debit card data travelling over the networks they had broken into. In January, he edited and modified a sniffer program dubbed 'blabla" that was used by the gang and stored in a server with a Latvian IP address, according to the indictment.
If convicted, Watt faces up to five years in prison, a fine of $250,000 and three years of supervised released, according to a statement released by the US Attorney's office in Massachusetts ( download PDF ).