N.Y. man indicted for role in data breaches

By Jaikumar Vijayan , Computerworld , 11/04/2008

A New York man has been charged with providing co-conspirators with a 'sniffer' program for capturing payment card data as it traveled across corporate networks, apparently the latest person to be indicted in connection with data breaches at TJX Companies Inc and other major retailers.



Stephen Watt, 25, of New York, was charged in U.S. District Court in Boston on Oct. 29 with unlawful access to computers, wire fraud, aggravated identity theft and money laundering.



The indictment makes no direct mention of Watt's role in a series of breaches at major retailers such as TJX, BJ's Wholesale Club, DSW Inc., OfficeMax Inc., Boston market, Barnes and Noble Inc., Sports Authority and Forever 21.



But it names Albert Gonzalez as one of the individuals Watt supplied the sniffer programs to; Gonzalez has been indicted for his role as the alleged ring leader of the gang responsible for the retail break-ins. He has pleaded innocent to the charges.  A spokeswoman for the U.S. Attorney's office in Massachusetts Tuesday declined to comment on whether Watt's indictment is related to the retail breaches since it is not mentioned in the indictment.



Gonzalez was one of 11 people indicted in August in a massive identity theft and computer fraud scheme involving some of the largest data breaches in recent U.S. history. Gonzalez and his gang are accused of breaking into numerous retail networks and stealing payment card data -- including data on nearly 44 million cards from TJX alone -- over a five-year period starting from 2003.



The thefts relied on vulnerabilities in the wireless networks used at retail store locations: Gonzalez and others would go "war-driving" in commercial areas of Miami looking for vulnerable retail networks. Once they broke into a network, they would locate and steal "Track 2" data from the magnetic stripe on the back of payment cards, as well as PIN-block data associated with debit cards. The gang is alleged to have maintained servers in the U.S., Latvia and Ukraine that were used to store tens of millions of stolen credit and debit card numbers.



So far, two of the indicted individuals have pleaded guilty to charges in the case. In September, Damon Patrick Toey pleaded guilty to four felony counts, including wire and credit card fraud and aggravated identity theft. He is scheduled to be sentenced on Dec. 10 in U.S. District Court in Boston, and faces a maximum prison term of five years and a fine of US$250,000 on each of the counts.



That same month, Christopher Scott, 25, of Miami become the second man to plead in the case. He faces a maximum of 22 years in prison and a $1 million fine. Scott also will forfeit the $400,000 or so that he made in profits from the payment card thefts.



Court documents filed in connection with Watt's indictment, meanwhile, said he was part of a criminal gang that between 2003 and 2008 broke into several corporate networks to steal payment card information and use or sell that information to others. The stolen funds were funneled through Internet currency exchanges and bank accounts in Latvia to conceal the source, ownership and control of the money.



Watt allegedly provided a sniffer program that allowed Gonzalez and other gang members to identify and capture credit and debit card data traveling over the networks they had broken into. In January, he edited and modified a sniffer program dubbed 'blabla" that was used by the gang and stored in a server with a Latvian IP address, according to the indictment.  (see graphic below)



If convicted, Watt faces up to five years in prison, a fine of $250,000 and three years of supervised released, according to a statement released by the U.S. Attorney's office in Massachusetts