« Secured Personal Data On Stolen Laptop | Main | Healthcare Internal Control: Retained E-mail & IM Records »

August 07, 2008


Feed You can follow this conversation by subscribing to the comment feed for this post.

Jim Graves

FWIW, the DoJ press release said that the accused withdrew tens of thousands of dollars at a time, not total. The latest number I saw for the first credit card ring is $8 million, and the DoJ indictment wants $20 million in forfeitures from Yastremskiy.

I talk about this a bit more on my blog.

Ben Wright

Jim: Thank you! You are absolutely correct about the tens of thousands of dollars at a time. I was mistaken. My original thinking came from USAToday, which did not say "at a time". I cited the US DoJ press release, but failed to read it carefully.

Thus, regarding the ATM withdrawals, it seems the hundreds of thousands of dollars figure is better.

I'm going to look into the other figures you cite. --Ben

Ben Wright

Jim: Regarding the ring of thieves in Florida: The original criminal charges (circa March 2007) filed against the ring used the $8 million figure. However, later press reports like this one in the St. Petersburg Times, speak in terms of a lower figure, i.e., "more than $1-million". I appreciate your contribution to this discussion!

Ben Wright

Jim: Yastremskiy’s indictment, page 10 seeks forfeiture of $11,509,647.

Tracing particular dollars to a break-in at a particular merchant is a forensic nightmare. Yastremskiy et al. are tied to data thefts at many merchants, TJX being just one. Dollar figures tied to Yastremskiy mix TJX with other heists.

Criminal indictments like Yastremskiy’s are not conservative, CPA-audited financial statements. They are negotiation documents, written by prosecutors, i.e., advocates of the government’s position.

The forfeiture sought from Yastremskiy could easily count any given dollar more than once. He was a money launderer; he moved money around. The indictment (apparently) seeks all the money transferred in connection with him during certain periods of time.

Again, thank you for your thoughtful contribution Jim.

Tom Mahoney

Mr. Wright;

Although you've made some good points here, I think you've missed some important ones too.

I'm a merchant advocate but I have no problem pointing the finger directly at TJX and the others. They were not PCI compliant and some areas of their security, wireless in particular, were shoddy at best. To make matter worse, there's ample evidence that they knew it and made the conscious decision to save money by not tightening up. Saved a bundle, didn't they!

I represent close to 3800 e-commerce merchants and I don't think that there was an over reaction at all. What you haven't taken into account is that this credit card information - which is now believed to be in the neighborhood of 90 million accounts - will be floating around for years in the carder chat rooms and bulletin boards that have been created to sell them one by one or in blocks of thousands. And every time one of them is successfully used on line for a purchase, the e-commerce merchant will suffer. He'll loose his money, his merchandise, his shipping fees and a chargeback fee. Chargeback fee, I assume you know, is the payment industry's term for a fine for being a victim of a crime.

The arrests and indictments that we know about so far may well be a drop in the bucket against those 90 million accounts. As you pointed out yourself, tracing particular dollars to a break-in at a particular merchant is a forensic nightmare. The fact is that we'll never know how many dollars were lost, how many of those accounts were used, or how many will be used in the future. From an e-commerce merchant's point of view, every one of those accounts should be closed and new ones issued. And if TJX, et. al. have to pick up the tab, so be it.

Over reaction? Not from where I stand.

Tom Mahoney
Director, Merchant911.org
Developer, Preventing e-Commerce Chargbacks

Rick Aster

When you know a criminal organization is in possession of your card data, it is safer to cancel the card immediately. Waiting for fraudulent charges to actually appear is not less expensive in the long run.

The comments to this entry are closed.

Wright's Online SANS Education

Jackson County Case Study

IT Administrators


  • Follow benjaminwright on Twitter

Custom Professional Training

Local ARMA Quote

  • "The presentation by Mr. Wright, sponsored by Messaging Architects, was engaging and provocative. He delivered insights that challenged some of our views on retaining e-mail, and definitely shattered others." - Terry Mergele, CRM, Program Chair, San Antonio ARMA.
My Photo


  • Attorney Benjamin Wright is the author of technology law books, including The Law of Electronic Commerce (Aspen Publishers) and Business Law and Computer Security (SANS). A featured speaker at industry conferences and professional meetings, Wright teaches e-discovery, data security and cyber investigations law at the SANS Institute. Mr. Wright advises clients on digital law and forensic investigations. He helps tech professional firms write engagement contracts, and otherwise manage their legal liability and right to be paid. Such firms include QSAs, auditors, blockchain analysts, penetration testers and forensic investigators. His telephone is 1.214.403.6642. Wright's e-mail is ben_wright at compuserve dot com (put "BLOG" in subject line to distinguish yourself from spam). Mr. Wright graduated from Georgetown University Law Center 1984.

SANS Quote

  • "The best professional trainer in the country on these issues is Ben Wright." --Stephen H. Chapman, Principal and CEO, Security Advisers, LLC, and student in Mr. Wright's SANS legal training


  • No public statement by Mr. Wright (blog, comment, book, article, video, speech, tweet) is legal advice for any particular situation. If you need legal advice, you should consult your lawyer.

    The purpose of this blog -- and the purpose of all of Mr. Wright's public statements -- are public education and discussion, and not the delivery of legal, technical or other professional advice. If you need advice or complete information, this blog is not the place to get it. Mr. Wright's public statements are offered as-is, with no warranty of accuracy or reliability. Mr. Wright sometimes revises his published ideas. If you use the ideas, you do so at your own risk.

    Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

    Mr. Wright's contributions to blogs, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer Law.

    The only person responsible for Mr. Wright's words is Mr. Wright.

    Mr. Wright has received money from some organizations he mentions online, such as Netmail/Messaging Architects, SANS Institute and LabMD.

    Mr. Wright strives to comply with all applicable laws. He does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Mr. Wright has done anything illegal or unethical, he asks that person promptly to notify him at 1.214.403.6642, Dallas, TX. Also, please state publicly on Mr. Wright's blogs or pages that he is wrong. Promptness helps mitigate damage.

    Any person accessing this blog agrees not to use data from it (or from any other public activity or statement by Mr. Wright) in a way that is adverse to Mr. Wright's interests.

    Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Exchanging private messages with Mr. Wright does not, by itself, form an attorney-client relationship.

    Privacy/Security Vision: Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.

Search Wright's Blogs

Find More on This Blog


Become a Fan

Find More on This Blog