Damon Patrick Toey last week became the first person to plead
guilty to helping to steal more than 40 million identities and
account details in
the world's biggest criminal computer hack.
US attorneys
charged Toey and 10 others on 5 August with conspiracy,
computer intrusion, fraud and identity theft.
They face charges of hacking into nine large US retailers,
including TJX and its UK subsidiary, TKMaxx, to steal and resell
more thn 40 million credit and debit card numbers. It is the
largest hacking and identity theft case prosecuted so far by the
Department of Justice.
Three defendants were US citizens, one was from Estonia, three
from Ukraine, two from the People's Republic of China and one from
Belarus. One was known only by an online alias.
The alleged leader, Albert "Segvec" Gonzalez, is believed to be
a former secret service informer. Gonzales has pleaded not guilty
to charges related to the TJX hack.
The defendants are accused of "wardriving" or hacking into
retailers' wireless networks to copy sales transaction details. The
alleged offences took place between 2003 and 2008.
Toey was
charged with unlawful access to computers, access device fraud,
wire fraud, aggravated identity theft, and money
laundering.
Lawyers said Toey worked with Gonzales to attack computer
networks, often using SQL injection attacks to find flaws in
retailers' networks. He used these flaws to gain access to track 2
data (from the magnetic stripe on the back of payment cards),
accounts and files before copying them and selling them to criminal
third parties inside and outside the US.
If convicted, Toey faces the confiscation of three Sony Vaio
laptops, an Xbox and an iPad Nano, as well as data storage units
and $9,500 in cash.
The theft, which went undetected for nearly five years, allowed
the thieves to withdraw "tens of thousands of dollars" at a time
from foreign ATM machines. It cost TJX and other retailers millions
in compensation and administration costs.