Man accused in TJX data breach pleads guilty

Damon Patrick Toey is one of 11 people arrested in the massive breach.

Many of the Internet attacks that Toey facilitated were SQL injection attacks, according to court documents.

The documents described Gonzalez, Toey and others as going "war-driving" in commercial areas of Miami looking for vulnerable retail networks they could attack. Once they broke into a network, they would locate and steal "Track 2" data from the magnetic stripe on the back of payment cards as well as PIN-block data associated with debit cards.

The gang allegedly used sophisticated "sniffer" programs to capture password and user account information, which they would then use to break into other corporate servers containing payment card data. The gang also had access to tools that allowed its members to decipher encrypted PINs. The stolen data was then either sold to cybercriminals in Eastern Europe and the U.S. or used to make fraudulent credit and debit cards.

Toey and his gang allegedly maintained servers in the U.S., Latvia and Ukraine that were used to store tens of millions of stolen credit and debit card numbers, according to court documents.

A spokeswoman for the prosecutor's office today said that Gonzalez made his initial court appearance yesterday and pleaded innocent to the charges against him. He remains in custody without bail. His next hearing is scheduled for sometime next month.

The next person scheduled to make a court appearance in connection with the case is Christopher Scott who appears to have played a major role in the data theft at TJX. Scott faces five felony counts, including unlawful access to computers, wire fraud, aggravated identity theft and money laundering.

On two separate occasions in July 2005, Scott compromised two wireless access points at a TJX-owned Marshall's store in Miami. He used the access to download various commands onto TJX servers containing payment card data. In September 2005, Scott and Gonzalez first started downloading payment card data from TJX servers in Framingham.

About a year after gaining access to the TJX network, Scott established a VPN connection between a TJX payment card transaction processing server and a malicious server owned by Gonzalez. That connection, in turn, was used to upload various sniffer programs to the server to capture transaction data as it was being processed.

Scott collected about $400,000 for his part in the data theft and at the time of his arrest, authorities seized about $6,000 in cash, a Rolex watch and nearly two dozen pieces of electronic equipment -- including several laptop computers, storage devices, PDAs and video recorders.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags data center power consumptiontjx

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Jaikumar Vijayan

Latest Videos

More videos

Blog Posts