Target shoppers may not be a jet-setting bunch — but at least their credit card numbers are seeing the world.
Days after a cyber-security firm tied the massive retail hack that hit as many as 110 million Target shoppers to Russia, police in southern Texas arrested a man and a woman from Mexico in connection with the heist.
Mary Carmen Garcia, 27, and Daniel Guardiola Dominguez, 28, both of Monterrey, Mexico, were nabbed by federal and local agents as they crossed into the US on Sunday, according to the McAllen, Texas, police department.
The duo were caught with 96 counterfeit credit cards that, police said Monday, are believed to be linked to the Target security breach that quietly stole debit card numbers and other personal data as they were swiped through check-out readers at the discounters’ stores.
The two alleged perps racked up tens of thousands of dollars in bills last weekend at Toys ‘R’ Us, Walmart, Best Buy and other retailers, McAllen Police Chief Victor Rodriguez said at a press conference.
The purchases were made using account numbers of folks who live in south Texas, Rodriguez said. The police chief said he believes the stolen information is being sold regionally.
Cops teamed up with agents from the Secret Service and Homeland Security to track the culprits. After working all week to identify the alleged thieves, the lawmen arrested the duo at about 7 a.m. as they made their way back into Texas for another shopping spree, Rodriguez said.
“Someone in Mexico is obviously mining that data [obtained in the Target security breach] and producing the cards,” the police chief said.
California cyber-security firm IntelCrawler recently said it tracked the author of the malware, or malicious software, used in the Target heist to hackers from St. Petersburg, Russia, who have been selling it for around $2,000 a pop.
IntelCrawler, in a report Friday, fingered a 17-year-old as the architect of the malware.
On Monday, it issued an updated report that said the teenager was simply acting as “technical support” for a second Russian man, who it is now identifying as the author of BlackPOS, as the malware is known.
Meanwhile, cyber-security expert Brian Krebs has said the author is a Ukrainian resident.
Even if the identity of the malware’s architect is in dispute, the fear that other retailers could be at risk is not.
Last week, security firm iSight Partners, of Dallas, which is working with federal authorities on the cyber attack, said the software is sophisticated enough to cover its own tracks so that retailers may not even know they’ve been robbed.
Meanwhile, the US could find itself at a loss to hold the people behind it responsible, experts said.
“Not when they are in these jurisdictions,” said Dan Clements, president of IntelCrawler. “These people have coverage” from US laws, he said, speaking of Russia and other parts of Eastern Europe.