"So far as we know, this is the single largest and most complex identity theft case ever charged in this country," said U.S. Attorney General Michael Mukasey when announcing the indictment. "The perpetrators are alleged to have stolen more than 40 million debit and credit card numbers. They used sophisticated computer hacking techniques, breaching security systems and installing programs that gathered enormous quantities of personal financial data, which they then allegedly sold to others or used themselves. And in total, they caused widespread losses by banks, retailers and consumers."

Once they had the data, the Justice Department alleged the conspirators stored it on their own encrypted servers and sold it to others, who in turn made cards using it and used the falsified cards to defraud consumers through other retailers or ATMs.

The three U.S. citizens were identified as Albert "Segvec" Gonzalez, Christopher Scott and Damon Toey, all of Miami, Fla. The indictments allege that Gonzalez, who was named as ringleader, became aware in 2003 that unencrypted credit card data could be had at a BJ's Wholesale Club in the Miami area. They then exploited the weakness to initially compromise and obtain consumers' card data, the indictment said. The Justice Department charged that the conspirators used the same approach at other BJ's stores in the Miami-area as well as at other retailers from 2003 and into 2004. In some of these cases, the PINs that the conspirators were alleged to have stolen were encrypted, and the indictments charged that the conspirators had to reach out to others for assistance in decrypting them.

A key point in the conspiracy came in July 2005, the indictments alleged, as the conspirators succeeded not only in compromising a system at a local TJX retailer, but then were able to use the weakness to send commands to the main TJX servers in Framingham, Mass.

This new capability allowed the conspirators to access the largest amount of card data at TJX, the indictments charged. After accessing this data during mid- to late-2005, by the middle of 2006, the conspirators had set up a virtual private network link between the TJX servers and their own. They were able to use these servers to move large amounts of data, the government charged.

Concerned that they were perhaps not getting enough data, the indictments stated that in mid-2006 the conspirators recruited others to help write "sniffer" programs to find and transmit cardholder data on retailer servers. By mid-2006 as well, Gonzalez moved the other two American conspirators into a condo in Miami where, in exchange for rent, and a share in the ill-gotten gains, they helped him attack retailer computer systems.

The indictments charged that the last time the conspirators attacked a retailer computer system was in October 2007.

Simultaneously, the indictments unveiled charges against other co-conspirators. The government charged that Maksym "Maksik" Yastremskiy of Kharkov, Ukraine, and Aleksandr "Jonny Hell" Suvorov of Sillamae, Estonia, with crimes related to the sale of the stolen credit card data that Gonzalez and others illegally obtained, as well as additional stolen credit card data.

The indictment charged Suvorov with conspiracy to possess and traffic in the tools needed to commit card theft and sell card data, as well as identity theft, aggravated identity theft, and aiding and abetting. Yastremskiy is charged with trafficking in the devices, identity theft, aggravated identity theft and conspiracy to launder monetary instruments. The indictment also contains a forfeiture allegation.

Similar charges were disclosed against the other individuals as well.

The indictments also alleged that Gonzalez had been arrested by the Secret Service in 2003 on another case of fraud and was cooperating with the government in that case, while at the same time remaining the lead conspirator in this one.

When unsealing the indictments, the Department of Justice said that three of the 11, including Gonzalez, were currently in custody. The other two in custody were awaiting extradition from Turkey and Germany. It was unclear whether any of the accused had legal counsel as of press time.

Reaction from different credit union leaders involved in the fight against card fraud were uniformly appreciative of the government's effort but also cautionary, asserting that the core of the issue remained the same whether the individuals charged were ever convicted or not.

"The efforts of law enforcement to bring the perpetrators of these data thefts to justice are commendable," said Jeff Post, CEO of CUNA Mutual Group. "These breaches remain crimes of opportunity. Data breaches such as TJX are enabled by retailers who continue to store personal account information against card association rules and with disregard for the safety of these very organizations' customer's credit card information. If merchants would simply follow the card association rules, this supply of plastic card data would not be available to steal."

Steve Ruwe, chief risk officer for PSCU Financial Services, said he was encouraged by the indictments but agreed with Post. "I think its very encouraging to see the amount of time, energy, money and other agency resources that must have been committed to this case in order to identify these individuals," Ruwe said. "I think there were a lot of people who doubted whether anyone would ever be charged with these crimes, whether they would just disappear into the Internet cloud."

Ruwe observed as well that the cases might be difficult to pursue past the indictment stage because they will likely touch upon unexplored legal ground, pointing out that the early prosecutions of card fraud sometimes had to struggle with questions like how to prove someone had actually counterfeited a card rather than was simply in possession of a card.

None of the federal attorney offices involved would take any questions about the cases or the possible captures of the other named conspirators.

–[email protected]