A Simple Scheme to Rob 45,700,000 People

Three years ago a group of computer geeks slipped into the servers at Framingham-based TJX — the parent company of T. J. Maxx — and orchestrated the world’s biggest identity heist. Now, as the hackers head to prison and the secrets of their scam are revealed, one question remains: Are you any safer?

A Simple Scheme to Rob 45,700,000 People

Illustration by Frank Stockton

Robert Mann had a rather unusual lunchtime ritual, at least compared with the other mechanics at Rietzl Audi Porsche in Norwell: The 48-year-old would drive over to the local T. J. Maxx.

Though most people don’t think of the discount chain as a place to shop for food, Mann savored the snacks and condiments he found there. “They had good food and a lot of unusual sauces,” he says, and, best of all, “it was cheap.” He’d swipe his debit card through the machine at the register, and head back to work with a bag of his favorite Italian cookies.

Then Mann’s trips to the Maxx came to an abrupt end. It happened one afternoon in January 2007, when a cashier declined his debit card. Mann, who knew he had a few thousand dollars in his account, figured he had punched in the wrong PIN. But then he got declined again.

Back at home, when Mann logged on to his bank account at Rockland Trust, he couldn’t believe what he saw: His balance was draining before his eyes. Each time he refreshed the page, more money vanished. He felt a cold, sickening twist in his gut. Mann grabbed for his phone and could barely dial the number of his bank. Helpless confusion gripped him as he exclaimed, awkwardly, “I’m being compromised!”

The bank froze his account, but not in time to stop the damage: One hundred sixty-seven illegal transactions had been made, involving everything from calling cards to computer equipment to website payments. The crooks hadn’t just stolen his money, they had also ripped off his identity — one charge was a donation to a neo-Nazi organization in Germany. “It didn’t make any sense,” Mann says. “My account was getting hammered.”

Forty miles from Mann’s home in Pembroke, executives at the Framingham headquarters of the TJX Companies — which owns T. J. Maxx and a slew of discount retailers including Marshalls, HomeGoods, and A. J. Wright — were already piecing together the source of Mann’s problems. They had discovered that hackers had broken into the TJX computer system and stolen payment card numbers. Mann was just one of 45 million customers being victimized by one of the biggest credit card heists of all time.

Today, three years after the attack was discovered, the details of how the crime was perpetrated — and exactly how much damage was done — are finally coming into view. According to TJX’s filing with the Securities and Exchange Commission last year, the breach and the ensuing legal complaints brought by customers ended up costing the company more than $170 million. It’s a stark reminder of how vulnerable companies and consumers are in an increasingly digital economy. “One thing we learned is how aggressive and creative cybercriminals are, constantly finding ways to penetrate even the best computer security,” says TJX spokeswoman Sherry Lang.

But some experts think TJX’s security wasn’t that great to begin with. “It’s a terrible example of what can happen when appropriate security measures are not taken,” says Barbara Anthony, undersecretary of the state’s Office of Consumer Affairs and Business Regulation. “It’s a wake-up call.” One of the men sentenced in the heist has another way of putting it. Stephen Watt, a hacker who will soon begin serving a two-year prison term for his role in the scheme, considered the TJX attack “embarrassingly simple.”

“This was just the money they lost from their own incompetence,” he says. “TJX should be thanking me.”

 

Wedged between the Mass. Pike and Lake Cochituate in Framingham, the massive brick-and-glass headquarters of TJX looks like a place befitting a national retail empire. But the corporate sheen belies the company’s deep roots as a scrappy family-run firm. In 1919, immigrant brothers Max and Morris Feldberg opened the New England Trading Company in order to supply department stores with ladies’ underwear. By the Great Depression, the Feldbergs had gotten into the retail business for themselves, with a chain of stores called the Bell Hosiery Shops. In 1956, Max’s and Morris’s sons expanded the business, opening a department store in Hyannis named Zayre, which is Yiddish for “very good.”

The Feldbergs’ formula was as simple as it was successful: They sold off-price, upscale goods to shoppers who’d been priced out of higher-end retailers. During the recession of the 1970s, the company added a new discount store, T. J. Maxx, first in Auburn and Worcester and then beyond. Acquisitions and innovations followed, and by the mid-1990s, people who had never heard of TJX were nonetheless shopping at its discount chains, buying name-brand clothes at Marshalls or spatulas at HomeGoods. Today, with $19 billion in annual revenues and more than 2,600 stores nationwide, it’s one of the largest off-price retail empires in the country.

As TJX’s reach spread throughout North America and into Europe, there was one guy in particular who wasn’t a fan: Stephen Watt. Growing up in Melbourne, Florida, in the 1980s and ’90s, he’d pound the dashboard whenever his value-hunting mom would steer the car toward a T. J. Maxx or Marshalls. “Please don’t make me go in there with all these fat people and shitty clothes!” he’d plead.

Watt had reason to feel like an oddball in his town. “I personally consider it to be like the eighth or possibly the ninth bulge of hell,” he says. A seven-foot-tall blond whiz kid, Watt was a star student — he earned a 4.37 grade point average in high school — who had little in common with his classmates. After teaching himself computer code, a 15-year-old Watt found like-minded misfits in the burgeoning hacker underworld. He frequented a chat room for globalHell, a hacker collective notorious for defacing the websites of the U.S. Army and the White House, among others. “They were basically a bunch of script-kid morons, but it seemed exciting to me since I knew nothing about hacking or security,” he says.

It was in this world that Watt met and befriended Albert Gonzalez. Like Watt, Gonzalez was a gifted but outcast Florida kid. Growing up in Miami as the son of a Cuban landscaper, Gonzalez saved up his allowance to buy a computer. Once active in his local church, he quickly became enthralled with the machine — one church adviser noticed that Gonzalez thought of his computer as his best friend. His mother, Maria, saw it more distressingly as an “obsessive vice,” and urged him to see a psychologist. “No, I am not crazy,” her son angrily replied.

In fact, within that nascent online culture, Gonzalez found something that helped him feel quite sane: community. He soon graduated from playing games to finding friends and confidants online. “We have a very identical perspective of the real world,” Watt says today, recalling that what bound him to Gonzalez was “the feeling of alienation that you have when you feel like you’re smarter than most people and lack a group of friends that can adequately understand you or communicate with you…. It’s an intellectual thing, and a feeling of despair. Trust is important to both of us, and we could trust each other.”

Gonzalez (who declined to comment for this story) also earned the trust of a coterie of misfits on the Net, many of whom shared a passion for an illegal hobby: stealing credit and debit card numbers. Gonzalez possessed a unique talent in this world: By charming his way through chat rooms, he was able to harness the abilities of disparate groups of coders and hackers, assembling ad hoc teams that could work together. “Albert was not as technical as some,” Watt remembers, “but he was an unparalleled genius as a project manager. In terms of macro- and micro- management, he knew how to connect people and use their respective strengths. He was a team leader in every sense. He knew how to bring elements of an intrusion together in a successful manner.”

By 2002, Gonzalez had become one of the leaders of an international ring of criminal hackers who hung out on a secretive Internet forum called Shadowcrew. Here, so-called carders swapped nefarious services, from counterfeiting driver’s licenses and Social Security cards to “swiping” payment card numbers by hacking into the computer systems of retail stores. But Gonzalez had trouble covering his trail. In 2003 he was arrested in New Jersey for possessing 15 fraudulent payment cards. Ever the project manager, however, he shrewdly engineered a way out of jail time: He became a government informant.

As part of an 18-month cybercrime investigation called Operation Firewall, coordinated by the FBI and the Secret Service, Gonzalez worked behind the scenes, trolling the hacker underworld and relaying information on people and deals back to the feds. Ultimately, his work helped lead to the arrest of 28 members of the Shadowcrew gang. “He had an uncanny way of getting into systems,” recalls E. J. Hilbert, a former FBI cybercrimes agent who worked with Gonzalez.

Because Gonzalez remained undercover, the convicted hackers had no way of knowing he had played a role in giving them up. In fact, Gonzalez’s cachet among carders was actually growing. By working with federal agents, he had learned about the government’s tactics, picking up information that was making him more powerful — and valuable — among the carders. Before long, he was planning a new attack on a vulnerable target.

 

At most stores, when customers swipe a payment card at the checkout, that data travels over wireless networks to the store’s computers. It then makes its way to servers at the parent company, where it is processed. For years, even though retailers like TJX used passwords to protect their wireless networks, the data itself was either encrypted at a basic level or unencrypted. This meant that a hacker like Gonzalez could access the information with a computer and a WiFi connection.

Beginning in 2003, Gonzalez and a crew of hackers he’d organized started driving around Miami using laptops to scan for stores that used wireless networks, a practice called wardriving. Once the hackers detected an accessible network, it was like finding a gaping hole in a cash machine. Gonzalez’s crew started sucking credit and debit card numbers from a variety of stores around town, everywhere from Marshalls to Boston Market. And they cashed in. Stolen card information could either be sold on the black market for between $10 and $100 per account, or used to make withdrawals from bank machines.

Gonzalez, who adopted the hacker handle “soupnazi,” after the notoriously cranky restaurateur from Seinfeld, dubbed his gang “Operation Get Rich or Die Tryin’” after the album by 50 Cent. He bought himself a $40,000 BMW, blew $75,000 on a birthday party, and began staying at ritzy Miami hotels, even while still living with his parents.

But he wanted more. More numbers. More money. More everything. To get it, Gonzalez needed a “sniffer” program, an insidious piece of spyware he could install into a retailer’s server, which would then log and capture an unimaginable trove of numbers. Instead of parking outside a single Marshalls, say, he would be able to steal data from the computers at the TJX corporate headquarters in Framingham. And Gonzalez knew the perfect man to write such a program — Stephen Watt.

Unlike Gonzalez, Watt had not given into the criminal side of hacking. Since 2004, he’d been working in New York as a software engineer at the investment bank Morgan Stanley. He’d heard about Gonzalez’s increasingly lavish lifestyle, but took the stories with a grain of salt. He figured his friend’s money was coming from what he had heard was a $75,000 annual salary the government was paying him as an informant. Gonzalez and Watt talked for hours through instant messages, and Gonzalez would send him articles of hacker exploits — without ever taking responsibility. “Please read that shit,” Gonzalez wrote to Watt about one story he passed along. “I’m laughing right now so hard that I spit all over the laptop screen.”

Watt insists he didn’t suspect his friend of being involved in the crimes (a claim that federal prosecutors would later dispute). So when Gonzalez asked him to write a sniffer program, he obliged. It was part of the hacker ethic, he believed, something that people in the outside world couldn’t understand. You write code, you pass it along to your trusted friends, and you don’t ask questions. “Sharing code is a way of life,” Watt says. “There’s not an ethical or moral stop sign that says you should care about this. I approach this from a point of karma. I’m not sniffing credit cards, I’m not selling them, and I’m not getting money from this. I don’t lose sleep at night. My hands are clean. He’s his own moral agent.”

Watt spent 10 hours writing a sniffer program he called “blabla.” And then he e-mailed it to Gonzalez.

 

By uploading Watt’s Sniffer Program through the network at TJX, Gonzalez now had access to the retail giant’s computer servers in Framingham — and legions of unwitting customers had reason to fear him. By January 2007, TJX customers across the eastern seaboard, including auto mechanic Robert Mann, were noticing terrible things happening to accounts in their names.

Late that month, TJX chairman Ben Cammarata sent an open letter to the company’s customers explaining that, a month earlier, the company had discovered a computer breach. “We have promptly alerted law enforcement authorities and an investigation is under way,” he wrote. “We have also engaged two of the very best computer security experts to help us strengthen the security of our systems in order to prevent this from happening again, and we believe customers should feel safe shopping in our stores.” But, he added, “there is much we still have yet to understand about this issue.”

A break came in July 2007, when the Operation Firewall investigators — the very same team that had relied on Gonzalez as an informant — stumbled onto the trail of a 25-year-old hacker in the Ukraine, Maksym Yastremskiy, who was thought to be a key player in the underworld trade of stolen payment cards. Federal agents seized Yastremskiy’s laptops to find millions of stolen numbers and something of a smoking gun: the same essential code used in the sniffer program found on the TJX computers. They also found records of online chats with a hacker nicknamed “soupnazi.”

On May 7, 2008, Gonzalez was inside room 1508 of the art deco National Hotel in Miami Beach. As his girlfriend lay nearby, along with a Glock 27 handgun, two laptops, and $22,000 in cash, federal agents burst into the room and placed him under arrest. But the astonishing fallout was just beginning. On August 5, 2008, Gonzalez and 10 others were indicted by a federal grand jury in Boston for stealing more than 40 million credit and debit card numbers from not only TJX, but also BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21, and DSW.

Last August, as Gonzalez was being held in prison in Brooklyn, he was indicted again — this time for stealing 130 million credit and debit card numbers between 2006 and 2008, from companies including Heartland Payment Systems, 7-Eleven, and Hannaford Brothers, a regional supermarket chain. U.S. Attorney General Michael Mukasey called it “the single largest and most complex identity-theft case ever prosecuted in this country.”

Last December, Watt was sentenced to two years in prison for writing the sniffer program and ordered to pay $171.5 million in restitution. But he maintains that he had no knowledge of criminal use of his program, and he was not found to have made any money from the heist. “The government doesn’t have any evidence on me,” he says one February afternoon in his Manhattan apartment, where he’s biding his time until he goes behind bars. “I’ve kept my nose clean.” Watt says Gonzalez told him he feels horrible for getting him into this fix. They remain close friends.

In September 2009 in Boston, Gonzalez pleaded guilty to 19 counts of conspiracy, fraud, and aggravated identity theft. As of this writing, he faces up to 25 years in prison. Still, Gonzalez’s going to jail doesn’t, on its own, make consumers any less vulnerable to future attacks. And as enormous as the TJX breach was, it was by no means an isolated event. The state’s Office of Consumer Affairs and Business Regulation estimates that more than one million Bay State residents have been victimized by data breaches in the past two years. Thomas G. Shapiro, a Boston attorney who represented a group of TJX customers in a class-action suit filed against the company over the payment card thefts, says the evidence “showed that TJX was pretty lax and did not meet up-to-date security standards. But when you’re a consumer and go into a store, how do you know if security arrangements are [up to date]?”

Avivah Litan, an analyst with the information-technology research firm Gartner, estimates TJX will end up spending roughly $125 million to fix its security problems, but even that may not be enough. “The only way to prevent these types of hackers in the future is to make a major change to card payment systems,” Litan says.

Some countries, for example, include a smart chip on credit cards, which ensures the card can be unlocked and used only with a personal identification number. TJX is now among those pressing for this “chip and PIN” technology in the United States.

In the meantime, other precautions are being put into place. On March 1, Massachusetts implemented a strict new data-privacy law in the wake of the TJX attack. The law requires companies that hold on to personal data for employees or consumers to create safeguards, such as encryption — the sort of thing that could have prevented the TJX breach.

Of course, stopping data breaches is a cat-and-mouse game, and it’s likely that hackers will score again somewhere. They are driven not by simple greed, but by something more complex and difficult to curtail: ego. “Perhaps the most important thing to understand about Gonzalez’s crimes is that the motivation for them was predominantly the thrill of accomplishing more and more difficult computer feats and not just personal greed,” his attorney Martin Weinberg has said. “In addition, because of his single-minded focus on his computer and his interpersonal defects and the fact that those he harmed were faceless…Gonzalez was, during the time when he was committing his crimes, unable to appreciate the harm he was doing to others.”

But it’s too late for those who suffered from his handiwork, like Robert Mann. Though his bank covered his lost account balance, he’s still sour on TJX. As part of a class-action settlement by TJX, he received a $30 gift card. But he has no use for it: He avoids T. J. Maxx. These days, he says, “I make my lunch at home.”