Yet another recent press release – this one from the U.S. Attorney’s Office in Connecticut – shields the name of the breached entity:
David B. Fein, United States Attorney for the District of Connecticut, announced that NATASHA SMITH, 25, of Georgia, formerly of Far Rockaway, New York, waived her right to indictment and pleaded guilty yesterday, August 30, before United States Magistrate Judge Holly B. Fitzsimmons in Bridgeport to one count of conspiracy to commit access device fraud.
According to court documents and statements made in court, from September 2008 to January 2009, SMITH worked as a waitress at a restaurant in Stamford, Connecticut. In pleading guilty, SMITH admitted that, while working at the restaurant, she and a co-worker, Chibuzo Okafor, stole credit card information from customers through the use of “skimming” devices. When restaurant customers would pay with their credit cards, SMITH and Okafor would swipe the cards through hand-held skimmers before running them through the restaurant’s own legitimate credit card verification system. The skimming devices would copy and store the account information encoded on the magnetic strips on the back of the credit cards.
Every few weeks, an individual who supplied the skimming devices would meet with SMITH or Okafor so they could turn over to him the credit card information stored on the devices. That person would pay them either $20 or $25 for each credit card they successfully swiped through the skimming device and then give them new skimmers so they could continue with the scheme. The stolen credit card information was later used by members of the conspiracy to make unauthorized purchases.
While SMITH and Okafor were employed at the Stamford restaurant, approximately 92 credit cards were compromised, the majority of which were compromised by Okafor, resulting in losses of approximately $135,888.
SMITH is scheduled to be sentenced by United States District Judge Janet B. Hall on November 18, 2011, at which time SMITH faces a maximum term of imprisonment of five years.
On March 10, 2010, Okafor pleaded guilty to one count of conspiracy to commit access device fraud. She awaits sentencing.
This investigation is being conducted by the Connecticut Financial Crimes Task Force, notably the United States Postal Inspection Service and the United States Secret Service. The Task Force also includes members from the United States Department of State, Bureau of Diplomatic Security; the Connecticut State Police; and the Glastonbury, Greenwich, Hartford, New Haven and Shelton Police Departments.
This case is being prosecuted by Assistant U.S. Attorney Paul Murphy.
Note that neither the Complaint nor Plea Agreement, both of which I obtained from PACER, reveal the name of the restaurant in Stamford or the restaurant in New York where both defendants also worked. Why not?
Well, it turns out that in this case, we do know the name of the restaurants – because they were revealed in the prosecution of the co-defendant. In March 2010, another U.S. Attorney for Connecticut revealed the restaurants as P.F. Chang’s and Grand Lux Cafe in Connecticut and New York, respectively.
So why does the 2011 press release and court filings carefully omit the restaurants’ names? I’ve commented on this trend a number of times, as I do think we’re seeing a disturbing and growing trend whereby information is intentionally withheld from the public – information that is of public concern and that the public should have a right to know.
Are businesses putting pressure on states not to reveal this information? I have no evidence of that, but it wouldn’t surprise me at all. I do know that states that used to post breach notices online are no longer doing so. Maryland has not updated its site since last year and New York withdrew its site altogether. Budget cuts? Maybe. Coincidence? Maybe. But I’d really encourage all states that retain central depositories of breach notifications to post them online so that we have more usable information about statistics and trends.
I don’t believe most of the states hold back names of the breaches for protection of the compnay name. It may be that the ongoing investigation may require it to remain a hush-hush so investigators can accumulate as much data against the criminals as they can. A too early release of a breach may give the hacker ample notice to dump any evidence that may be related to a crime.
I am not a hacker, butt I can imaginee, if the “technique” worked against one brand of software, there may be many more opportunities out there. That can either become a open-season hunting ground for that hacker, or it can bring a fistful of cash to provide that proof of concept to other hackers looking to get in.
The authorities may want additional pproof, or have set up some sort of surveillence waiting for the entity to strike again, and then they can almost catch them in the act. With the laws about hacking being relatively new to most countries and states, removing as much doubt about a particular hacker’s participation in an act holds up better in court.
I am sure there are companies and websites that are tightly entwined into the local, state and federal governments that might be given a bit of lieniency when it comes to reporting a breach, but your right – why offer that ? A customer and banking institution will suffer moreso than a company that is potentially at fault.
With the brashness of some hacking groups, its almost a challenge for the authorities to try and stop potential hacks. Hacks should be treated like say, drunk driving, it can have the same potential impacts, the effect can cause life changing events.
In the situation of skimmers, I don’t see where less than 3,000 in direct cash can be an option of about 4 years in the slammer, loss of complete trust with any company that uses credit cards or requires a position of trust. What are these people thinking? Its extremely easy for the authorities to figure the skimmer use out. Most will eventually be caught, but again, you can catch the small fish, but I am sure they are looking to catch the big fish as well, which may be the real reason they are going to keep compromised company breaches under wraps.