Tuesday, September 16, 2008

Plea in Case of Largest Data Theft in History

On September 11, 2008, Damon Patrick Toey entered a plea of guilty to charges including wire fraud, credit card fraud, and aggravated identity theft stemming from the largest data theft in history. Toey and others stole information on tens of millions of customers from TJX Cos. and BJ's Wholesale Club. According to federal prosecutors, the group also breached the security of many other companies.  The Boston Globe had extensive coverage of the hearing.

At a hearing in federal District Court in Boston yesterday afternoon, Damon Patrick Toey, 23, of Miami, pleaded guilty to multiple charges, including wire fraud, credit card fraud, and aggravated identity theft. Prosecutors alleged he helped the accused ringleader, Albert Gonzalez, to break through the computer security of a number of retail stores in the Miami area.

Gonzalez himself appeared at a second hearing later in the day and pleaded not guilty to a set of similar charges.

Prosecutors said both men were key players in a loose-knit ring spanning countries from China to Ukraine that stole or trafficked in more than 40 million payment cards in all, causing more than $400 million in damages. The ring initially accessed customer data by using laptops to penetrate wireless networks of retail stores, from which they were able to access the companies' servers.

At the hearing for Toey yesterday, Assistant US Attorney Stephen Heymann elaborated on his role in the scheme. Toey first helped Gonzalez steal money from automated teller machines in the New York area in 2004, then became more involved in stealing and selling card data from vulnerable retail computer networks, according to Heymann and previous government filings. Last year he lived rent-free at Gonzalez' Miami condo, the government said.

When asked by Judge William G. Young why he was entering the plea, Toey said prosecutors "have enough, other than what I'm pleading guilty to," on him, "that would make it a lot worse, in my opinion."

It was the longest utterance of the day for Toey, who said he had an eighth-grade education. He entered his plea even though his defense attorney, Syrie Fried, and prosecutors hadn't agreed on just how much in losses his actions caused, which could affect his eventual sentence. Technically he could face more than 30 years in prison, judge Young said at one point.

Young released Toey on probation, at least temporarily, to a location in the Norfolk, Va., area, where Fried said he grew up and has family. Toey will be subject to electronic monitoring, face travel restrictions, and be barred from using computers.

And in a separate court filing yesterday, Heymann wrote the government has evidence that Toey and his coconspirators hacked into "numerous other businesses." The filing did not disclose the businesses, and Heymann did not release any more details in court. In all, more than 40 million credit and debit card numbers were stolen by the conspirators, Heymann wrote, potentially victimizing hundreds of banks that issued the cards.

For those interested in the notion of "aggravated identity theft," here is the statute - 18 USC 1028A.
(a) Offenses.—
(1) In general.— Whoever, during and in relation to any felony violation enumerated in subsection (c), knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person shall, in addition to the punishment provided for such felony, be sentenced to a term of imprisonment of 2 years.
(2) Terrorism offense.— Whoever, during and in relation to any felony violation enumerated in section 2332b (g)(5)(B), knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person or a false identification document shall, in addition to the punishment provided for such felony, be sentenced to a term of imprisonment of 5 years.
(b) Consecutive Sentence.— Notwithstanding any other provision of law—
(1) a court shall not place on probation any person convicted of a violation of this section;
(2) except as provided in paragraph (4), no term of imprisonment imposed on a person under this section shall run concurrently with any other term of imprisonment imposed on the person under any other provision of law, including any term of imprisonment imposed for the felony during which the means of identification was transferred, possessed, or used;
(3) in determining any term of imprisonment to be imposed for the felony during which the means of identification was transferred, possessed, or used, a court shall not in any way reduce the term to be imposed for such crime so as to compensate for, or otherwise take into account, any separate term of imprisonment imposed or to be imposed for a violation of this section; and
(4) a term of imprisonment imposed on a person for a violation of this section may, in the discretion of the court, run concurrently, in whole or in part, only with another term of imprisonment that is imposed by the court at the same time on that person for an additional violation of this section, provided that such discretion shall be exercised in accordance with any applicable guidelines and policy statements issued by the Sentencing Commission pursuant to section 994 of title 28.
(c) Definition.— For purposes of this section, the term “felony violation enumerated in subsection (c)” means any offense that is a felony violation of—
(1) section 641 (relating to theft of public money, property, or rewards [1]), section 656 (relating to theft, embezzlement, or misapplication by bank officer or employee), or section 664 (relating to theft from employee benefit plans);
(2) section 911 (relating to false personation of citizenship);
(3) section 922 (a)(6) (relating to false statements in connection with the acquisition of a firearm);
(4) any provision contained in this chapter (relating to fraud and false statements), other than this section or section 1028 (a)(7);
(5) any provision contained in chapter 63 (relating to mail, bank, and wire fraud);
(6) any provision contained in chapter 69 (relating to nationality and citizenship);
(7) any provision contained in chapter 75 (relating to passports and visas);
(8) section 523 of the Gramm-Leach-Bliley Act (15 U.S.C. 6823) (relating to obtaining customer information by false pretenses);
(9) section 243 or 266 of the Immigration and Nationality Act (8 U.S.C. 1253and 1306) (relating to willfully failing to leave the United States after deportation and creating a counterfeit alien registration card);
(10) any provision contained in chapter 8 of title II of the Immigration and Nationality Act (8 U.S.C. 1321 et seq.) (relating to various immigration offenses); or
(11) section 208, 811, 1107(b), 1128B(a), or 1632 of the Social Security Act (42 U.S.C. 40810111307 (b)1320a–7b (a), and 1383a) (relating to false statements relating to programs under the Act).

No comments: