Breach, Critical Infrastructure Security, Threat Management, Data Security, Incident Response, TDR

Miami man gets five years in jail for leading TJX fraud ring

A Florida man, theringleader of a group that used financial information stolen from TJX customersfor fraudulent purchases, was sentenced this week to five years in prison andordered to pay $600,000 in restitution.

IrvingEscobar, 19, of Miami,pleaded guilty to charges that he usedfake credit cards layered with information stolen in the notorious data breachto buy approximately $3 million in goods and gift cards.

Escobarwas one of six people arrested in March for participating in the credit cardfraud ring. The group was accused of traveling around Florida purchasing large amounts of giftcards – mostly at Wal-Mart and Sam's Club stores – with the stolen information.

Thearrests were the result of a joint investigation conducted by the Gainesville(Fla.) Police Department and the Florida Department of Law Enforcement.

Co-defendantsDianelly Hernandez, Julio Alberti, Reinier Alvarez, and Zenia Llorente pleadedguilty in August and were sentenced to probation, according to Florida AttorneyGeneral Bill McCollum. Nair Alvarez, Escobar's mother, also pleaded guilty andwas deported to Venezuela.

MaryMonahan, a partner with Javelin Strategy and Research, told SCMagazineUS.comtoday that she hopes Escobar's sentencing will be followed by the arrests of theindividuals responsible for the breach itself.

“It'sa good sentence. He's the ringleader for the group down in Florida, and everyone else got probation," she said. “The thing is that he's actually a small fish. He's 19 years old, andsomebody supplied him with those credit card numbers, and hopefully they canget that person.

A TJXspokesperson could not immediately be reached for comment.

Lawenforcement authorities said last month they were hopeful that the arrestof Ukrainian national Maksym Yastremskiy, 24, would lead them to the hackersresponsible for the TJX breach that compromised the credit card information ofabout 45 million people.

Yastremskiywas trafficking more than a million credit card numbers and likely had closeties to the intruders, Greg Crabb, an agent with the U.S. Postal InspectionService's global investigations unit, said last month. Yastremskiy is believedto have sold the credit card numbers for between $20 and $100 a piece.

Gartneranalyst Avivah Litan told last month that law enforcementauthorities have told her the intruders are difficult to apprehend because theyare based overseas.

TheTJX breach was the result of a scheme that began in 2005 when intruders used a“telephone-shaped antenna” and laptop to decode data moving among Marshalls store scanningdevices, cash registers and PCs that were using wireless LAN connectivity,according to numerous published reports. The hackers may have ciphered data forup to two years.

TJX,the parent company of TJ Maxx, Marshalls and other discount retailers, hasbegun to feel the financial ramifications of the breach. The Framingham,Mass.-based chain's second quarter income fell sharply this year, from $138million during its second quarter in 2006 to $59 million in the same period this year. The freefall has beenattributed to an after-tax second-quarter charge of $118 million related to thebreach.

That amount is comprised of $11 million for costs incurred during thequarter and $107 million in reserve funds to be used in the future for“probable losses,” according to Securities and Exchange Commission filings.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.