A Miami man pleaded guilty on Monday to charges of hacking and identity theft related to the high-profile data breaches at TJX and a number of other merchants.
Christopher Scott, 25, admitted to his role in computer intrusions at nine retailers that netted a cybercriminal gang more than 40 million credit and debit card numbers, prosecutors have said.
Between 2003 and 2007, the cyberbandits exploited insecure wireless networks, which allowed them to place “sniffer” trojans that captured credit card data as it passed between point-of-sale machines and payment processors.
Scott pleaded guilty to conspiracy, unauthorized access to computer systems, access device fraud and ID theft. He faces up to 22 years in prison and a $1 million dollar fine.
Scott was part of a gang that would scan “the airwaves in shopping strips in Miami from their cars looking for potentially vulnerable access points,” according to a Monday news release from the U.S. Attorney’s Office in Boston. “When they found one, they would park in adjacent lots or sit in nearby loaned or rented rooms with laptop computers until they were able to compromise the perimeter of the retailer’s computer network.”
Some of the retail victims included Marshalls — which is owned by TJX — Boston Market, Sports Authority, BJ’s Wholesale Club and DSW.
Gonzalez and his crew — indicted in August — sold the stolen data to other fraudsters in exchange for cash advances. Scott personally earned $400,000 for his role in the heist.
Scott joins fellow member Damon Patrick Toey, who pleaded guilty earlier this month to wire fraud, credit card fraud and aggravated identity theft.
Wireless security has become a top priority for the organization charged with administering credit card transaction security guidelines.
Version 1.2 of the Payment Card Industry Data Security Standard (PCI DSS), issued by the PCI Security Standards Council, removes any mention to the Wired Equivalent Privacy (WEP) encryption standard, which is considered outdated and vulnerable to attack.
When TJX was breached, resulting in the possible exposure of 45.7 million card numbers, the discount clothing chain was using WEP.
By 2010, all merchants must transition to the Wi-Fi Protected Access (WPA) framework.