By Matt Hines
March 21, 2007
Law enforcement officials in Florida have arrested six individuals
suspected of carrying out a fraud scheme built around the misuse of
credit card data stolen from retailer TJX Companies.
In partnership with the Gainesville Police Department, officials from
the Florida Department of Law Enforcement said they have taken six of 10
suspects into custody for allegedly using the TJX customer data to
purchase large quantities of gift cards from discount chains Wal-Mart
and Sam's Club.
The series of arrests marks the first specific instance of crime to be
connected to the TJX data heist, although some banks have previously
reported that accounts held by consumers affected by the incident had
been used in attempted fraud around the globe.
Florida Department of Law Enforcement officials confirmed that they
initially reported the crime ring to Framingham, Mass.-based TJX in Nov.
2006. The retail chain began informing its customers about the data
breach -- blamed on a computer systems intrusion -- in mid.-Jan. 2007.
TJX media representatives didn't immediately return call seeking comment
on the arrests.
The suspects were reported by Florida law enforcement officials to have
been traveling throughout the state buying large quantities of Wal-Mart
gift cards with the stolen credit card accounts, and then redeeming the
cards at other locations. Among the items purchased by the scammers were
computers, gaming devices, and big-screen TVs.
Losses experienced by Wal-Mart and the banks issuing the credit cards
total more than $8 million, and are still being calculated, according to
Florida officials. The suspects arrested were charged with organized
scheme to defraud, a first-degree felony, and had their bonds set at $1
Arrested and booked in Metro-Dade County for the crime spree were Irving
Escobar, age 18; Reinier Camaraza Alvarez, 27; Julio Oscar Alberti, 33;
Dianelly Hernandez, 19; Nair Zuleima Alvarez, 40; and Zenia Mercedes
The Florida Department of Law Enforcement said that it has also issued
warrants for four other people believed to be involved in the scheme.
The timeline established by the Florida arrests could help to shed light
on the factors that pushed TJX -- which operates a handful of North
American and European retail chains including T.J. Maxx, Marshalls,
HomeGoods, and A.J. Wright -- to inform the public of its data breach.
On Jan. 17, TJX first reported that a computer systems intrusion may
have compromised the personal data of an undetermined number of its
customers, with hackers able to make off with individuals' credit card,
debit card, and check information, along with data related to
merchandise return transactions.
While the company has refused to reveal how many customers may be
affected by the incident, TJX officials have confirmed that a majority
of the data involved is related to people who shopped at its stores in
the United States, Canada, and Puerto Rico during 2003, and between May
and December 2006.
On Feb. 21, TJX announced that it had discovered a new set of IT systems
intrusions that exposed the personally-identifiable information of its
customers. Company officials said that in addition to the IT systems
break-ins it detailed in January, it now believes that intruders also
infiltrated its databases repeatedly during 2005.
Reports of crime connected to the TJX data theft first surfaced on Jan.
24, when the Massachusetts Bankers Association reported that several
banks in the state had observed instances of fraud specifically related
to the accounts of consumers involved in the TJX incident.
The industry group said at the time that it had received reports of
criminal activity carried out via debit and credit card accounts exposed
in the heist in locations including Florida, Georgia, and Louisiana in
the U.S., as well as in Hong Kong and Sweden overseas.
When TJX first reported the incident in Jan. 2007, company officials
said they had become aware of the data theft in late 2006 but waited to
begin informing customers of the breach in deference to ongoing law
enforcement investigations, including those being carried out by the
U.S. Department of Justice and U.S. Secret Service.
The Massachusetts Bankers Association, among others, publicly criticized
the company for not moving to disclose the incident faster.
Over the last two years, more than 30 U.S. states have adopted new laws
that establish more rigid guidelines for the reporting of consumer data
exposure. A bill under consideration in Massachusetts would require
organizations to inform consumers within five business days after a
breach affecting their data is detected.
Visit the InfoSec News Security Bookstore