September 24, 2008, 1:47 PM — One of the major players in the massive hacking incidents at TJX Companies Inc., BJ Wholesale Clubs Inc. and other retailers Monday pleaded guilty to identity theft and other felony charges in federal court in Boston.
Christopher Scott, 25, of Miami, is the second individual to plead guilty in the case so far. Last week, Damon Patrick Toey, admitted to four felony counts, including wire and credit card fraud and aggravated identity theft. Both men were among the 11 individuals who were arrested in August in connection with payment card fraud stemming from a series of computer intrusions at major retailers over the last few years.
In a plea agreement before U.S. District Judge Douglas Woodlock, Scott admitted to conspiracy, unauthorized access to computer systems, access device fraud and identity theft. He faces a maximum of 22 years in prison and a US$1 million fine. Scott also will forfeit the $400,000 or so that he made in profits from the payment card thefts.
Besides TJX and BJs, Scott, Toey and the others arrested are accused of breaking into and stealing payment card data from DSW Inc., OfficeMax Inc., Boston Market, Barnes and Noble Inc. Sports Authority and Forever 21. According to prosecutors, the group is believed to have stolen data involving more than 45 million payment cards, leaving about 100 financial institutions vulnerable to losses from fraud.
According to a statement released by the U.S. attorney's office in Boston, Scott's expertise was wireless hacking. Scott along with ring leader Albert Gonzalez and others would conduct "war drives" in shopping strips in Miami looking for vulnerable wireless networks at retail store locations. Once they identified such a network, the gang would compromise it and use that access to break into the retailer's main payment processing network to steal payment card data.
The stolen data was then either sold to criminal gangs in East Europe and elsewhere or used by the gang itself to create and use fraudulent payment cards.
Court documents show that Scott broke into the TJX network in July 2005 through two wireless access points at a TJX-owned Marshall's store in Miami. He used the access he gained to download various commands onto TJX servers containing payment card data. In September of that year, with help from Gonzalez, they first started downloading payment card data from TJX servers in Framingham, Mass.
Scott later established a VPN connection between a TJX payment card transaction processing server and a malicious server owned by Gonzalez which he then used to upload various sniffer programs for capturing transaction data as it was being processed. In all, Scott received about $400,000 for his role in the thefts.
