THIS STORY HAS BEEN FORMATTED FOR EASY PRINTING

Suspect named in TJX credit card probe

Ukrainian's arrest seen as break in record fraud case

Email|Print|Single Page| Text size + By Ross Kerber
Globe Staff / August 21, 2007

Authorities have zeroed in on a Ukrainian man they suspect played a key role in the sale of many credit card numbers stolen from TJX Cos. in what is considered the biggest corporate data breach to date.

Officials hope the recent arrest of Maksym Yastremskiy will be a breakthrough in the investigation of who hacked into systems at TJX and other companies, said Greg Crabb, a program manager in the global investigations division of the US Postal Inspection Service. The service is among various law enforcement agencies trying to track down hackers who made off with more than 45 million credit and debit card numbers from TJX starting in 2005.

Crabb said Yastremskiy allegedly sold card numbers through online forums hosted overseas, sometimes in Cyrillic or that were password protected. He is likely the largest seller of stolen TJX numbers, Crabb said.

Prices ranged from $20 to $100 per stolen card, and the cards were sold in batches of up to 10,000, depending on factors like the credit limits of the consumer accounts being traded. Crabb said Yastremskiy is associated with at least one other Ukrainian man previously charged with similar crimes, though unrelated to the TJX case.

"These guys are selling the good stuff," Crabb said.

It's unclear whether Yastremskiy is the mastermind behind the TJX breach itself. Yastremskiy's capture was first reported several weeks ago, though a link to TJX hasn't been made until now. Turkish police arrested him at a nightclub in the resort of Kemer, according to a French summary of a report by Turkish news agency Anatolia. The agency quoted a police official who said Yastremskiy is "one of the world's important and well-known computer pirates."

The Postal Inspection Service is involved in the investigation because it protects US mail customers. In the case of TJX, the postal service has jurisdiction because it is protecting the banks that mailed thousands if not millions of replacement credit cards to consumers whose data was compromised in the breach of TJX, the Framingham parent of stores such as TJ Maxx and Marshalls.

Other agencies involved in the probe include the US Secret Service and the Justice Department. Spokespeople for both agencies said officials wouldn't comment. Officials at the Ukrainian embassy in Washington did not return messages. A spokeswoman for TJX declined to comment.

Last week TJX said it expects to spend $256 million -- 10 times more than it had previously disclosed -- to cover costs related to the breach, such as improving security and dealing with the growing number of lawsuits filed by banks and other issuers of credit and debit cards. Some analysts predict the breach will cost more than $1 billion eventually, including the cost of canceling and reissuing millions of compromised cards.

The case is shaping up as a watershed event in the debate over organizations' responsibilities in protecting consumer data, amid rising security costs to banks, retailers, and card issuers.

TJX has said it believes hackers placed software on the company's computer network to capture data from at least 45.7 million customer credit and debit cards. The breach seems to have lasted from 2005 until TJX discovered the problem at the end of 2006, and to have involved data from customer transactions as early as 2003.

Some numbers were used to make fake credit cards, which law enforcement authorities say were used to buy millions of dollars in expensive electronics from Wal-Mart and other retailers in Florida and elsewhere around the world. Authorities in Florida have won guilty pleas from about 10 people related to the manufacture or use of fake cards, and some of these numbers were originally sold by Yastremskiy, Crabb said.

Crabb said officials are still investigating how Yastremskiy came to obtain the card numbers from the hackers who penetrated TJX in the first place.

Data-security experts say it's common for data thieves to operate in loosely organized rings and said such thieves may not even know each other well. In this case, that could mean the people who committed the breach of TJX itself may only have sought out middlemen afterward to buy card numbers, who in turn could sell them to make phony credit cards for use by people like those arrested in Florida.

That makes these crimes different than traditional credit-card fraud cases involving just a few stolen numbers at a time, said James Gaughran, chairman of the International Association of Financial Crimes Investigators, a trade group in California. "The difference now is that they're able to trade in bulk," he said, sometimes thousands of card numbers at a time.

Authorities allege that's what happened in the case of another Ukrainian, Dmitry Golubov, who was charged there in 2005 with trafficking millions of stolen credit card numbers based on an investigation by Crabb and others. But pursuing these cases internationally can be complex; Golubov's trial dates have been postponed repeatedly and a spokesman for the US Justice Department said the agency now considers Golubov a fugitive.

Ross Kerber can be reached at kerber@globe.com.

© Copyright 2008 Globe Newspaper Company.

more stories like this

  • Email
  • Email
  • Print
  • Print
  • Single page
  • Single page
  • Reprints
  • Reprints
  • Share
  • Share
  • Comment
  • Comment
 
  • Share on DiggShare on Digg
  • Tag with Del.icio.us Save this article
  • powered by Del.icio.us
Your Name Your e-mail address (for return address purposes) E-mail address of recipients (separate multiple addresses with commas) Name and both e-mail fields are required.
Message (optional)
Disclaimer: Boston.com does not share this information or keep it permanently, as it is for the sole purpose of sending this one time e-mail.