Second of 11 alleged TJX hackers pleads guilty

A second criminal hacker accused of involvement in the massive data breach targeted at T.J. Maxx's parent company, one of the largest security breaches to date, reportedly pleaded guilty on Monday.

As part of a plea bargaining arrangement Christopher Scott, 25, of Miami, has admitted to computer hacking, access device fraud, and identity theft, according to the Associated Press. He could face a sentence of up to 22 years in jail and a fine of up to $1 million for his crimes.

The plea comes almost two weeks after Damon Patrick Toey pleaded guilty to his role. The 11 defendants were formally charged last month. Three are from the U.S., one from Estonia, three from the Ukraine, two from the People's Republic of China, and one from Belarus. Another man involved used an alias and his whereabouts are unknown.

In March 2007, TJX, the parent company of T.J. Maxx and Marshall's, said 45.7 million accounts were compromised over nearly a two-year period. The company believed the hackers gained access to millions of credit card and debit card numbers through inadequately protected Wi-Fi networks, and then put the numbers up for sale.

[Belinus]

22 years? Wow. In some states you could attempt to kill someone and get less time.

[slynx000]

Because that's the total of years based all the different charges... hacking, device fraud, identity theft.

Murder as a sole count has minimum and maximum sentenceable years that would probably be higher than any single count of one the charges against the guy. Of course this doesn't count that there's multiple definitions of trying to 'kill someone' usually based on levels of intent. >:P

[Seaspray0]

I won't complain if he gets 22 years.

[renGek]

He won't get nearly that many years because he pled guilty to cut a deal with prosecution. We've all seen law & order right.
The other 10 will get jacked by the first 2 who cut deals. Except for that one smart guy who used an alias. Notice nobody knows where he is.

Now here's my question. Why on earth did tj max have such sensitive info accessible via wi-fi which is basically like leaving your front door unlocked but keeping it closed so that nobody thinks its unlocked.

[BenjaminWright]

Careful reading of the indictments of the TJX data thieves show that the media, card issuers and Federal Trade Commission over-reacted to the TJX incident. The TJX break-in was not as bad as we were led to believe. --Ben <a href="http://legal-beagle.typepad.com/wrights_legal_beagle/2008/08/credit-card-iss.html">http://legal-beagle.typepad.com/wrights_legal_beagle/2008/08/credit-card-iss.html</a>

[paulej]

Criminal sentencing in the United States usually is way out of line with the crime committed. Some folks are fortunate to get a lesser punishment, but there are always politicians or others who like to "make an example" out of somebody -- as if making an example of somebody did any good. I've never seen it do any good. In any case, 46M credit card accounts is a lot. The real question is how much damage was actually caused-- I think that is the real key thing to measure. But, that could truly be hundreds of millions if accounts were really exploited. Personally, if I were the judge (and perhaps this is why I would never be given such a job), I would split the responsibility between TJ Maxx for operating an insecure network and leaving individuals' credit cards at risk and the criminals. Sure, it was the criminals who "did a bad thing", but a major corporation maintaining credit card information ought to know very well to secure its networks carefully to avoid such things.