Food chain of fraud snarls TJX probe
Credit-card cases show difficulty of discovering those at center of ID theft
Officials in Florida have obtained guilty pleas in several credit card fraud cases related to the theft of more than 45 million credit and debit card numbers from TJX Cos., the biggest data breach in history.
Officials have yet to charge anyone directly in connection with the data breach itself, however, which lasted for years before the Framingham retail giant, which operates TJ Maxx and Marshalls stores, among others, disclosed the problem this year.
Court filings in the various cases show how some thieves became adept at manufacturing fake credit cards with real account numbers, using printing and encoding equipment that is relatively easy to obtain. But those admitting their involvement so far aren't linked to the actual break-in to TJX's own computer network -- an illustration of how difficult it may be to link the activities in Florida to the original theft.
Specifically, Florida state prosecutors in recent weeks have obtained guilty pleas from six people they had charged in March with using stolen credit card numbers to buy jewelry, computers, and other goods from Wal-Mart stores around the state.
One of these defendants then helped federal prosecutors obtain a guilty plea from another Florida man, Miguel Bruguera, on charges he created counterfeit credit cards with stolen card numbers, according to court filings and law enforcement officials. Also, in a separate federal case in Florida, four other men have agreed to plead guilty to conspiracy charges related to phony credit cards that an investigator involved in the case, who asked not to be named because he is not authorized to speak about the case publicly, says included numbers taken from TJX.
Justice Department officials referred calls to spokespeople who either did not return messages or said the agency would not comment. A Secret Service spokesman said the agency wouldn't comment.
In a July 9 press release, Secret Service called the four men "an organized electronic crime ring" and said they used a Web payment service to buy tens of thousands of stolen card numbers from "known cybercriminals in Eastern Europe." In recent years such groups have been the focus of much attention by the Secret Service, though its record prosecuting such gangs is mixed.
Mark D. Rasch, a former federal prosecutor and now managing director of Washington security consulting company FTI, said the cases show how card fraud often involves many different layers of misconduct, from the original hackers who obtained the numbers to the low- level crooks who use the data to commit fraud, or what he called "the separation of functions in the ring."
That broad distribution means that "prosecutors are finding it almost impossible to move upstream to get to the big guys," said Alan Paller, director of research at the SANS Institute, a data-security college in Bethesda, Md.
A TJX spokeswoman didn't return messages. Analysts estimate the breach could cost more than $1 billion in damages and penalties. The first TJX case began last year when employees at several Wal-Mart branches in Florida became suspicious of large purchases of store gift cards by people who then used the cards to buy expensive electronics and other items.
One break for police came when the thieves also used the suspect cards at Wal-Mart's outlet stores Sam's Club, which keeps a photographic database of nearly all its customers and helped authorities deconstruct the scam.
Among those charged in the case was Florida resident Irving Escobar, 18 at the time, who agreed to cooperate with officials who didn't know where his group obtained their stolen card numbers in the first place, a state court filing shows. Escobar agreed to plead guilty to fraud and, in April, arranged to meet with one person who had allegedly supplied him the stolen cards and fake driver's licenses, Miguel Bruguera, at an Embassy Suites hotel in Orlando, according to a separate court filing and a law enforcement official, speaking on condition of anonymity because this person wasn't authorized to speak publicly.
At that meeting, on April 17, Bruguera allegedly spoke on the phone to a person known as "Frank" who read him the stolen credit card numbers by phone. According to a court filing, Bruguera then entered the numbers into a laptop computer and used it and another device to encode those numbers onto about 40 blank credit cards. He also embossed them with the fake name, Anthony Lostaglio, used on a counterfeit driver's license that Escobar previously carried, filings show.
Bruguera and Escobar then drove to a nearby Wal-Mart, tailed by the Secret Service, where they bought several gift cards with the devices and counterfeit driver's licenses Bruguera had made, according to the government's complaint and the law enforcement source. Agents then arrested Bruguera and found eight counterfeit credit cards, a small "skimming" device used to capture magnetic card numbers secretly, and a Wachovia Bank credit card with Bruguera's name on it that was encoded with a different number than was embossed on the plastic.
An attorney for Bruguera declined to comment. A court filing shows Bruguera agreed to plead guilty to producing, using, and trafficking in counterfeit access devices. He faces up to 10 years in prison and a fine of up to $250,000.
Separately, the four other Florida men have agreed to plead guilty to similar fraud charges they produced counterfeit credit cards with stolen card numbers, and both sold them and used them for their own benefit.
Sentencing is still pending for Escobar, the teenager who was one of the first arrested. His attorney was traveling and did not return messages, said a representative. Escobar had been released on reduced bail, but after aiding in the sting on Bruguera he seems to have returned to his old ways. A state court filing shows he used allegedly stolen gift cards on May 9 to buy a widescreen television worth $599.88 at a Sam's Club, witnessed by store security.
The filing adds, "Escobar was in no way working for, or in conjunction with, the Miami Field Office of the US Secret Service during this transaction."
Ross Kerber can be reached at kerber@globe.com. 