TJX, Polo Data Surfaces in Credit Card Bust

After more than $75 million in bogus credit card charges, several Cuban nationals in Florida have been arrested with more than 200,000 credit card account numbers, many of which came from the TJX and Polo Ralph Lauren data breaches, according to U.S. Secret Service officials, commenting on the July 9 announced arrests.

The numbers were sent to the Florida defendants, who specialize in manufacturing bogus credit cards complete with embossing, logos, holograms and properly encoded magnetic strips, from a group of Eastern European residents who specialize in collecting the stolen credit card numbers, the Secret Service said.

That Eastern European group of fiduciary Fagans obtained those numbers from many different sources, but many of the numbers were traced back to two specific major retail data breaches: the 2006 TJX breach and a 2005 Polo Ralph Lauren breach, said a Secret Service case agent involved in the investigation and who asked that his name not be used.

Credit card numbers from the TJX theft have reportedly found themselves in multiple bogus credit card and giftcard probes, including a major gift fraud probe— which was also in Florida— as well as investigations in Alabama, North Carolina and Virginia.

Beyond the card numbers taken from Polo and TJX, the Florida group also used skimmers at restaurants to steal numbers along with "multiple hacks from the last five years," said Brian Camerieri, who is the supervisor of the Secret Service group leading the probe as well as the assistant to the special agent in charge of the Secret Services Miami field office.

Resource Library:

The numbers were quite global, with victims in the United States, Europe, Asia and Canada, among other places, and impacted "more than 300 banks," Camerieri said.

Authorities watched as the Florida defendants sent "large amounts of money" to the Eastern Europe team using an Internet payment system called E-Gold, which Camerieri said was considered a company that "didnt verify anything" in terms of identification and was a good choice "if you wanted to disguise who you are and launder money."

The defendants "were able to provide fictitious information to set up the account," said the case agent, who added that the lack of verification meant that, to the defendants, people could "just give (E-Gold) whatever [name and address] you want to give."

The Secret Service issued a statement that said "more than 200,000 credit card account numbers were recovered in connection with the rings activity, which was responsible for fraud losses of more than $75 million. Additionally, agents seized two pickup trucks, $10,000 cash and one handgun in connection with the case."

Click here to read more about the TJX data breach.

But Camerieri said that dollar amount isnt a specific amount and is merely a rough estimate based on a conservative guess that each card could bring $500 of fraud and that the actual number of card numbers the group is charged with having is 172,000. That actually comes to $86 million, but the announced figure was made even more conservative, possibly because not all cards had been used at the time of the arrests.

Making the estimate released even more conservative is the fact that, typically, Camerieri said, the fraud on a bogus credit with a stolen credit card number is much higher than $500. Credit card thieves have to play with various time limitations. If a credit or debit card is physically stolen through deception—such as a pickpocket—the thieves assume they have barely an hour or two before the card owner discovers the theft and alerts their bank to suspend the card. If the card is taken through force—such as during a mugging—thieves assume they have mere minutes.

Next Page: The defendants.