TJX, Polo Data Surfaces in Credit Card Bust

By Evan Schuman  |  Posted 2007-07-10

TJX, Polo Data Surfaces in Credit Card Bust

After more than $75 million in bogus credit card charges, several Cuban nationals in Florida have been arrested with more than 200,000 credit card account numbers, many of which came from the TJX and Polo Ralph Lauren data breaches, according to U.S. Secret Service officials, commenting on the July 9 announced arrests.

The numbers were sent to the Florida defendants, who specialize in manufacturing bogus credit cards complete with embossing, logos, holograms and properly encoded magnetic strips, from a group of Eastern European residents who specialize in collecting the stolen credit card numbers, the Secret Service said.

That Eastern European group of fiduciary Fagans obtained those numbers from many different sources, but many of the numbers were traced back to two specific major retail data breaches: the 2006 TJX breach and a 2005 Polo Ralph Lauren breach, said a Secret Service case agent involved in the investigation and who asked that his name not be used.

Credit card numbers from the TJX theft have reportedly found themselves in multiple bogus credit card and giftcard probes, including a major gift fraud probe— which was also in Florida— as well as investigations in Alabama, North Carolina and Virginia.

Beyond the card numbers taken from Polo and TJX, the Florida group also used skimmers at restaurants to steal numbers along with "multiple hacks from the last five years," said Brian Camerieri, who is the supervisor of the Secret Service group leading the probe as well as the assistant to the special agent in charge of the Secret Services Miami field office.

The numbers were quite global, with victims in the United States, Europe, Asia and Canada, among other places, and impacted "more than 300 banks," Camerieri said.

Authorities watched as the Florida defendants sent "large amounts of money" to the Eastern Europe team using an Internet payment system called E-Gold, which Camerieri said was considered a company that "didnt verify anything" in terms of identification and was a good choice "if you wanted to disguise who you are and launder money."

The defendants "were able to provide fictitious information to set up the account," said the case agent, who added that the lack of verification meant that, to the defendants, people could "just give (E-Gold) whatever [name and address] you want to give."

The Secret Service issued a statement that said "more than 200,000 credit card account numbers were recovered in connection with the rings activity, which was responsible for fraud losses of more than $75 million. Additionally, agents seized two pickup trucks, $10,000 cash and one handgun in connection with the case."

Click here to read more about the TJX data breach.

But Camerieri said that dollar amount isnt a specific amount and is merely a rough estimate based on a conservative guess that each card could bring $500 of fraud and that the actual number of card numbers the group is charged with having is 172,000. That actually comes to $86 million, but the announced figure was made even more conservative, possibly because not all cards had been used at the time of the arrests.

Making the estimate released even more conservative is the fact that, typically, Camerieri said, the fraud on a bogus credit with a stolen credit card number is much higher than $500. Credit card thieves have to play with various time limitations. If a credit or debit card is physically stolen through deception—such as a pickpocket—the thieves assume they have barely an hour or two before the card owner discovers the theft and alerts their bank to suspend the card. If the card is taken through force—such as during a mugging—thieves assume they have mere minutes.

Next Page: The defendants.

The Defendants

In both of those physical situations, the objective is to use the card as quickly as possible. Popular approaches are to quickly make expensive purchases and then discard the card. Buying a high-dollar amount of giftcards right away is also popular because it can buy the thief several additional days to spend the money before authorities can connect the stolen credit card to the stolen giftcards.

But when thieves steal large numbers of credit cards—the TJX breach, for example, involved the thieves accessing the credit card data of some 46 million consumers—the cards are sometimes changed, but they are often not touched until some fraud is discovered. That gives the fraudsters plenty of time to create fake cards and sell them to other thieves.

Once fraudulent activity starts, it keeps going until the credit card company detects a fraudulent pattern and calls the consumer or until consumers receive their next credit card statement and notify their bank.

In the Florida case, the defendants ran a diversified fraud business, Camerieri said, with numbers being sold in addition to various types of credit cards. The credit card plants run by the defendants created full cards—complete with embossing, bank and credit card logos, holograms and properly encoded magnetic stripes on the back—as well as so-called white plastic, which is just a plain card with the properly encoded magstripe.

The white plastic cards are popular because they are cheaper than the full cards (which often sell for between $50 and $100 each). Although they cant be used when dealing with retail employees, they work well with self-checkout systems such as gas stations and supermarket checkout.

"Weve seen a lot of HomeDepot," Camerieri said, referring to the home improvement chains extensive use of self-checkout lanes. "You can pay at the gas staton all day long with that stuff." Other retailers seen repeatedly in this case were Wal-Mart and Lowes and "all of the electronics chains," said the case agent.

Those arrested were Miguel Alegria, 46, of Hialeah, Fla.; Raynier Pupo, 22, of Miami, Fla.; Ariel Montero, 32, of Aventura, Fla.; Javier Padron-Bravo, 35, of Aventura, Fla; Julio Lopez, 30, of Hialeah, Fla.; and Anett Villar, 26, of Hialeah, Fla. Charges against some of the defendants included aggravated identity theft, counterfeit credit card trafficking and conspiracy.

Cuban Nationals Alegria, Pupo, Montero and Padron-Bravo all pled guilty in late June to the conspiracy counts, in exchange for a plea agreement with the government for the other charges to be dropped, Camerieri said. Alegria, Pupo, Montero and Padron-Bravo are scheduled for sentencing in September, which is when the judge will decide whether to accept the plea agreement.

The probe started when an agent from the Secret Services Nashville field office went online while undercover—as part of what was ultimately called Operation Blinky—and tried to do business with Lopez.

Retail Center Editor Evan Schuman can be reached at

Check out eWEEK.coms for the latest news, views and analysis on technologys impact on retail.

Rocket Fuel