A Simple Scheme to Rob 45,700,000 People

Three years ago a group of computer geeks slipped into the servers at Framingham-based TJX — the parent company of T. J. Maxx — and orchestrated the world’s biggest identity heist. Now, as the hackers head to prison and the secrets of their scam are revealed, one question remains: Are you any safer?

BY UPLOADING WATT’S SNIFFER PROGRAM through the network at TJX, Gonzalez now had access to the retail giant’s computer servers in Framingham — and legions of unwitting customers had reason to fear him. By January 2007, TJX customers across the eastern seaboard, including auto mechanic Robert Mann, were noticing terrible things happening to accounts in their names. 

Late that month, TJX chairman Ben Cammarata sent an open letter to the company’s customers explaining that, a month earlier, the company had discovered a computer breach. “We have promptly alerted law enforcement authorities and an investigation is under way,” he wrote. “We have also engaged two of the very best computer security experts to help us strengthen the security of our systems in order to prevent this from happening again, and we believe customers should feel safe shopping in our stores.” But, he added, “there is much we still have yet to understand about this issue.”

A break came in July 2007, when the Operation Firewall investigators — the very same team that had relied on Gonzalez as an informant — stumbled onto the trail of a 25-year-old hacker in the Ukraine, Maksym Yastremskiy, who was thought to be a key player in the underworld trade of stolen payment cards. Federal agents seized Yastremskiy’s laptops to find millions of stolen numbers and something of a smoking gun: the same essential code used in the sniffer program found on the TJX computers. They also found records of online chats with a hacker nicknamed “soupnazi.”

On May 7, 2008, Gonzalez was inside room 1508 of the art deco National Hotel in Miami Beach. As his girlfriend lay nearby, along with a Glock 27 handgun, two laptops, and $22,000 in cash, federal agents burst into the room and placed him under arrest. But the astonishing fallout was just beginning. On August 5, 2008, Gonzalez and 10 others were indicted by a federal grand jury in Boston for stealing more than 40 million credit and debit card numbers from not only TJX, but also BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21, and DSW.

Last August, as Gonzalez was being held in prison in Brooklyn, he was indicted again — this time for stealing 130 million credit and debit card numbers between 2006 and 2008, from companies including Heartland Payment Systems, 7-Eleven, and Hannaford Brothers, a regional supermarket chain. U.S. Attorney General Michael Mukasey called it “the single largest and most complex identity-theft case ever prosecuted in this country.”

Last December, Watt was sentenced to two years in prison for writing the sniffer program and ordered to pay $171.5 million in restitution. But he maintains that he had no knowledge of criminal use of his program, and he was not found to have made any money from the heist. “The government doesn’t have any evidence on me,” he says one February afternoon in his Manhattan apartment, where he’s biding his time until he goes behind bars. “I’ve kept my nose clean.” Watt says Gonzalez told him he feels horrible for getting him into this fix. They remain close friends.


  • Bla

    Editor refused to make the following requested correction: “TJX should be thanking me” -> “TJX should be thanking me for helping to clean out their technical staff.” as seen on the website of aut