A Simple Scheme to Rob 45,700,000 People

Three years ago a group of computer geeks slipped into the servers at Framingham-based TJX — the parent company of T. J. Maxx — and orchestrated the world’s biggest identity heist. Now, as the hackers head to prison and the secrets of their scam are revealed, one question remains: Are you any safer?

AT MOST STORES, WHEN CUSTOMERS SWIPE a payment card at the checkout, that data travels over wireless networks to the store’s computers. It then makes its way to servers at the parent company, where it is processed. For years, even though retailers like TJX used passwords to protect their wireless networks, the data itself was either encrypted at a basic level or unencrypted. This meant that a hacker like Gonzalez could access the information with a computer and a WiFi connection.

Beginning in 2003, Gonzalez and a crew of hackers he’d organized started driving around Miami using laptops to scan for stores that used wireless networks, a practice called wardriving. Once the hackers detected an accessible network, it was like finding a gaping hole in a cash machine. Gonzalez’s crew started sucking credit and debit card numbers from a variety of stores around town, everywhere from Marshalls to Boston Market. And they cashed in. Stolen card information could either be sold on the black market for between $10 and $100 per account, or used to make withdrawals from bank machines.

Gonzalez, who adopted the hacker handle “soupnazi,” after the notoriously cranky restaurateur from Seinfeld, dubbed his gang “Operation Get Rich or Die Tryin’” after the album by 50 Cent. He bought himself a $40,000 BMW, blew $75,000 on a birthday party, and began staying at ritzy Miami hotels, even while still living with his parents.

But he wanted more. More numbers. More money. More everything. To get it, Gonzalez needed a “sniffer” program, an insidious piece of spyware he could install into a retailer’s server, which would then log and capture an unimaginable trove of numbers. Instead of parking outside a single Marshalls, say, he would be able to steal data from the computers at the TJX corporate headquarters in Framingham. And Gonzalez knew the perfect man to write such a program — Stephen Watt.

Unlike Gonzalez, Watt had not given into the criminal side of hacking. Since 2004, he’d been working in New York as a software engineer at the investment bank Morgan Stanley. He’d heard about Gonzalez’s increasingly lavish lifestyle, but took the stories with a grain of salt. He figured his friend’s money was coming from what he had heard was a $75,000 annual salary the government was paying him as an informant. Gonzalez and Watt talked for hours through instant messages, and Gonzalez would send him articles of hacker exploits — without ever taking responsibility. “Please read that shit,” Gonzalez wrote to Watt about one story he passed along. “I’m laughing right now so hard that I spit all over the laptop screen.”

Watt insists he didn’t suspect his friend of being involved in the crimes (a claim that federal prosecutors would later dispute). So when Gonzalez asked him to write a sniffer program, he obliged. It was part of the hacker ethic, he believed, something that people in the outside world couldn’t understand. You write code, you pass it along to your trusted friends, and you don’t ask questions. “Sharing code is a way of life,” Watt says. “There’s not an ethical or moral stop sign that says you should care about this. I approach this from a point of karma. I’m not sniffing credit cards, I’m not selling them, and I’m not getting money from this. I don’t lose sleep at night. My hands are clean. He’s his own moral agent.”

Watt spent 10 hours writing a sniffer program he called “blabla.” And then he e-mailed it to Gonzalez.


  • Bla

    Editor refused to make the following requested correction: “TJX should be thanking me” -> “TJX should be thanking me for helping to clean out their technical staff.” as seen on the website of aut