Three men indicted in largest U.S. data breach

Two Russians and a Florida man were charged on Monday with hacking into Heartland Payment Systems, 7-Eleven, and the Hannaford Brothers supermarket chain, and stealing data related to more than 130 million credit and debit cards.

The indictment names 28-year-old Albert Gonzalez of Miami, who already has been charged with stealing data related to 40 million credit cards from eight major retailers, including TJ Maxx, and two unnamed co-conspirators based in Russia.

The breach involving Heartland and the others is believed to be the largest hacking and identity theft case ever prosecuted by the U.S. Department of Justice. In addition to Heartland, 7-Eleven, and Hannaford Brothers, it involves two unnamed corporate victims, according to a statement from the U.S. Attorney's office.

The three men were indicted on charges of conspiring to hack into computer networks and stealing data as far back as October 2006. Gonzalez, whose aliases include "segvec" and "soupnazi," and the others allegedly found victims on a list of Fortune 500 companies and visited retail locations to see what type of checkout systems they used.

They used an SQL injection attack to steal the data and used computers in California, Illinois, New Jersey, Latvia, Ukraine, and the Netherlands for storing malware and stolen data and launching attacks, according to the indictment. In an SQL injection attack, a small malicious script is inserted, exploiting a vulnerability in the database layer of an application that feeds information to the Web site.

They also allegedly installed backdoors and sniffers to intercept data in real time as it was processed by the victims and tried to hide their actions by accessing the victim networks through proxy computers, modifying their software so as to evade detection by antivirus programs and programming it to delete traces of the malware from victim networks, according to the indictment.

The men also tried to sell the stolen data to others, the indictment alleges. They are charged with conspiracy to gain unauthorized access to computers, commit fraud in connection with computers and damage computers, as well as conspiracy to commit wire fraud. They face up to 35 years in prison as well as a fine of $1.25 million.

Gonzalez, who is in federal custody, was charged in May 2008 in New York with hacking the computer network of Dave & Buster's restaurant chain and was named in an indictment in Massachusetts in August 2008 related to the TJX breach. Other alleged victims in those cases include BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21, and DSW. He faces trial on the New York charges next month.

Heartland reported the breach on presidential Inauguration Day in January and said that although it occurred last year, it found evidence of the intrusion just the week prior.

Formerly a federal government informant, Gonzalez also was arrested in New Jersey in 2003 on charges related to ATM and debit card fraud.

[davidmoron]

Don't guys who do this usually get hired by security companies? That is the myth at least

[SIGHUP]

Perhaps, but with 35 years in jail, I think they will be a little behind on the technology when they get out.

[Lerianis3]

Actually, davidmoron, that is usually the truth of these security intrusions. They are either done by someone with inside knowledge or by a disgruntled former employee who just 'looked and listened'.

[armen2772]

Wicked stuff!

[pentest]

Cyber crimes don't get prosecuted, this is the exception that proves the rule.

[inachu]

They get patted on the back in Russia and Israel.

[Vegaman_Dan]

PCI Compliance really means nothing to these companies. This has been a known issue for nearly a year now, but they didn't make it publically known. Instead you just find a company to pay off for the PCI compliance certification without actually being tested or compliant. That's one of the investigations going on now with some of the box stores mentioned above.

It's not terribly difficutl to do the man in the middle scenario for most of these box stores. Registers run wireless connections to the store's server. This data is *not* encrypted. Getting the WEP key isn't terribly difficult these days and these stores don't update that often to keep up with the technology. It makes you really scared to use your card at any of these stores once you realize how behind they are.

Can it be fixed? Oh sure, they could update with any of the products currently available and be far better off, but right now most are a good 5-7 years behind the tech curve.

[SIGHUP]

Here is a quote from the CEO off of http://www.cso.com.au/article/314712/heartland_ceo_data_breach_qsas_let_us_down. Carr: "The audits done by our QSAs (Qualified Security Assessors) were of no value whatsoever. To the extent that they were telling us we were secure beforehand, that we were PCI compliant, was a major problem. ?

[Vegaman_Dan]

@SIGHUP:

Unfortunately there are a few rather poor certification companies out there that are willing to take a payment to say a company is compliant without actually ever going on site or doing any testing at all. :/

[Lerianis3]

You are right, Vegaman_Dan. Instead of using WEP they should be using WPA at least, or better yet have these things WIRED and not being transmitted through the air in the first place.

[Vegaman_Dan]

@Lerianis3:

Running cabling to checkstands is now a hassle for store design. Power outlets are everywhere so now a lot of retailers are running wireless registers with IP phones. Much more flexible in configuration and layout, but there are some rather strong security issues to address as you can see.

Yes, they can be fixed, but it takes money and updates that a lot of these companies simply do not see the need for...until something like this happens.

[ferricoxide]

I had to have three credit cards and a debit card replaced because of the Heartland breech. What's worse, was, the only credit card that I'd had with me in Europe was precautionarily canceled by my bank the morning I arrived in Germany.

[Lerianis3]

HUH! They cancelled it WITHOUT your permission? Something reeks there.... they will NOT cancel credit cards without your permission and in fact, it's illegal to do so! They have to inform you either by phone or letter BEFORE they do that and get your permission.
If your bank does that automatically, they are breaking a hell of a lot of American state and federal and British federal laws.

[Swimming_Bird]

It seems to me that his bank thought that his card was comprised when they saw charges coming out of Europe. They can put a block on your card if they suspect fraud. If you contacted them to let them know you were traveling then they probably did make a mistake.

[bvdon]

They took about $500 from my account. The credit union flagged the transactions and reimbursed 100% within days and issued a new card.

So, thank you gents, may you enjoy your stay in jail.

I have to assume that the data was unencrypted. That should be criminal; it's a clear breach of fiduciary duty.

[Lerianis3]

It actually IS illegal, but they are not enforcing the law that makes it illegal yet because SO DAMNED MANY places whined about "Our registers cannot support encryption or WPA!"

[biffhenerson]

Yet another set of defective humans. Put them in cages. 35 years will not be enough.

[Michichael]

Something seems fishy about this story. Isn't it kind of convenient that they already have the guy they're accusing in custody? I think there's more to this than the media is being told about, and I've got a gut feeling that that guy isn't responsible for TWO major hacks - the logisitics of pulling off multiple things like that with just one guy stateside is pretty mindboggling. And keep in mind folks, innocent until proven guilty. He's accused of it, doesn't mean he did it or isn't just a scape goat. The law in the US isn't about right or wrong, or even the truth. It's about what side has the most money to make a problem go away.

[kellybrieger]

Banks, card issuers and other FIs must consider putting the control into the hands of the individuals, taking the form of SMS alerts. Clickatell provides credit/debit card and account transaction notifications via SMS to enable anytime, anywhere alerts between financial service providers and customers, giving power to people to scrutinize transactions as they happen; and not waiting for the fraud to get out of control.