US prosecutors last week charged 11 men from five countries with what US Attorney General Michael Mukasey called the "single largest and most complex identity theft case" ever brought in the US, revealing what businesses trying to protect customer data are up against.
The indictments follow a three-year investigation by US Secret Service officers that revealed a sophisticated, complex high-tech underworld, the extent of the criminal network involved in identity theft, and the value of this information in the hands of criminals.
The scam started with the theft of the credit and debit card details of up to 45 million people who bought goods at a number of retailers, including TJX, the parent of UK retailer TK Maxx. These details were subsequently used to defraud banks and account holders of at least £5.5m.
According to prosecutors, the conspirators obtained the credit and debit card numbers by searching for a retailers' wireless network - known as wardriving - and hacking into it. Once inside the networks, they installed programs known as sniffers to capture card numbers as well as password and account information, as transactions moved through the retailers' sales systems.
After they collected the data, the conspirators hid them in encrypted computer servers that they controlled in Eastern Europe and the US. They allegedly sold some of the credit and debit card numbers on the internet to other criminals in the US and Eastern Europe.
The stolen numbers were then used to encode the magnetic strips of blank cards. The accused then used the cloned cards to withdraw tens of thousands of dollars at a time from ATMs.
Dominic Storey, technical director of intrusion prevention experts Sourcefire, says TJX was hampered because it could not detect and identify the sniffer programs that caused the breach. "CIOs must do two things," he says. "One is never to send sensitive data unencrypted - use a secure socket layer link. Secondly, never link your wireless network directly to your internal network - use a 'demilitarised zone', which acts as a kind of porch to your house."
US attorney Benton Campbell says, "Computer hacking and identity theft pose serious risks to our commercial, personal and financial security."
Both the US's intent to deter identity theft and the scale of the problem are clear. In 2007 it prosecuted 2,470 people for identity theft and convicted 1,943.
But the UK's ability to bring similar swift justice to identity thieves and internet-enabled fraudsters is less certain, says Neil Fisher, vice president of identity management at Unisys and vice-chairman at the Information Assurance Advisory Council. "Since the National High Tech Crime Unit was disbanded, there has been no one with whom industry can enjoy a robust but private exchange of information on these issues," he says.
But prevention is better than cure. The payment card industry is now tightening up retailers' compliance with its data security standard. This requires retailers to encrypt customer names and account details on all card-based transactions. It also now requires retailers to install firewalls and intrusion detection and prevention systems to protect their networks against unauthorised access.
The TJX incident is a warning to all companies that use or provide wireless network access to systems. Consumers and employees already use more than 1.3 billion mobile phones and a billion personal computers to send and receive personal data, transact business and share information. Fisher says companies that carry and store such information have a duty of care to keep it safe.