One of 11 alleged T.J. Maxx hackers pleads guilty

One of the hackers accused of involvement in the massive data breach targeted at T.J. Maxx's parent company, arguably the largest security breach worldwide, reportedly pleaded guilty on Thursday.

Damon Patrick Toey pleaded guilty to wire fraud, credit card fraud, and aggravated identity theft, and will be released subject to electronic monitoring, according to a report on the Wall Street Journal's Web site. Eleven defendants total are facing charges in federal court in Boston.

TJX Companies, the parent company of T.J. Maxx and Marshall's, said in March 2007 that 45.7 million accounts were compromised over nearly a two-year period. The company said--and federal investigators subsequently confirmed--that it believed the hackers gained access to millions of credit card and debit card numbers through inadequately protected Wi-Fi networks, and then put the numbers up for sale.

The 11 defendants were formally charged last month, including three from the U.S., one from Estonia, three from the Ukraine, two from the People's Republic of China, and one from Belarus. One used an alias and his whereabouts are unknown.

[BenjaminWright]

Careful reading of the indictments of the TJX data thieves show that the media, card issuers and Federal Trade Commission over-reacted to the TJX incident. The TJX break-in was not as bad as we were led to believe. --Ben http://legal-beagle.typepad.com/wrights_legal_beagle/2008/08/credit-card-iss.html

[renGek]

Its typical for those in charge to have knee jerk reaction to security breaches even if minor even if nothing could have possibly been stolen. Its typical in every industry. But at the same time we should not just let it go because its a bad signal to other would be hackers or those about to commit fraud. Some things if you let them get out of hand, you can never pull the rein back.

This one guy who pleaded guilty is probably the smartest because he'll be used to rat on the other 10.

[The Harper]

Actually, the smartest one is the guy who used an alias. The one whose "whereabouts are unknown".

[djjohu]

At least there were no social security numbers that were obtained directly from TJX. Things would have been much worse for identity theft had the hackers been able to access TJX's HR systems. I guess someone should add "don't give any personal information to any stores" to the list of ways to prevent identity theft at http://identitytheft.me/best-practices-to-prevent-identity-theft/ , though that's a bit hard to do online, at least.