The Department of Justice issued an indictment involving the hacking of computer systems of nine major U.S. retailers. It purports to be the largest such case ever brought by the Department.

The indictment, brought in Boston, alleges that one Albert Gonzalez and others used a sophisticated attack that involved breaking into the retailers’ wireless networks and subsequently stealing credit card and other information using “sniffer” programs. The retailers involved include Barnes & Noble, BJ’s Wholesale Club, Boston Market, DSW, Forever 21, OfficeMax, Sports Authority, and TJX Companies. Their actions allegedly involve the theft of more than 40 million credit card numbers, some of which were sold on the Internet and some of which were used to create counterfeit cards to “cash out” the accounts.

The Department of Justice has issued a press release, which can be found here. The indictment itself is available below:

The United States Court of Appeals for the Third Circuit has issued a ruling in Sovereign Bank v. Fifth Third Bank and BJ’s Wholesale Club, Inc., exploring the relative responsibilities and obligations of banks involved in credit card security breaches. It addresses the complex relationships between the credit card company (here, Visa), the banks who issued the credit cards (“Issuers,” such as party Sovereign Bank), the retailers who accept the credit cards (“Merchants,” such as BJ’s) and the banks who work with the Merchants to process credit card transactions (“Acquirers,” such as party Fifth Third Bank). The relationships are governed in part by Visa’s Operating Regulations, which set out standards regarding the use and retention of credit card information.

Generally, losses resulting from fraudulent credit card charges are the responsibility of the Issuing Bank, but that liability can shift to the Acquirer if it resulted from the Acquirer’s violation of Operating Regulations. Sovereign, an Issuer, claimed that happened because Fifth Third’s merchant, BJ’s, failed to destroy information gleaned from customers’ swiped credit cards after it had been used.

The decision explored in depth whether the contractual relationship between Visa and Fifth Third was intended to benefit Issuing Banks such as Sovereign, giving them a right to sue. The Third Circuit, overturning the lower court, concluded that Sovereign could at least make the argument. It also held, however, that Sovereign could not sue BJ’s for negligence, since the losses were purely economic and there was no “third party beneficiary” argument it could construct to reach the retailer.

The matter has been sent back to the lower court for further proceedings. The decision may be found here: