Federal prosecutors have charged a Miami man with the largest case of credit and debit card data theft ever in the U.S., accusing the one-time government informant of plotting to swipe 130 million accounts on top of 40 million he stole previously.
Albert Gonzalez, broke his own record for identity theft by hacking into retail networks, according to prosecutors, though they said his illicit computer exploits ended when he went to jail on charges stemming from an earlier case, according to New York Newsday.
Gonzalez, who is in federal custody in Brooklyn, is awaiting trial next month in New York for allegedly helping hack the computer network of national restaurant chain Dave & Buster’s. He was charged in 2008 with illegally obtaining the credit card information of 5,000 customers at a Dave & Buster’s in Islandia. He pleaded not guilty.
In the latest case, he was indicted Monday by a federal grand jury in New Jersey and charged with conspiring with two other unnamed suspects to steal the private information and sell it to others, according to prosecutors.
Gonzalez and the other hackers living “in or near Russia” were indicted on a charge of allegedly stealing data from Heartland Payment Systems Inc., 7-Eleven Corp., Delhaize Group’s Hannaford Brothers Co., a regional supermarket chain, and two unidentified national retailers. Gonzalez allegedly devised a sophisticated attack to penetrate the computer networks, steal the card data and send that data to computer servers in California, Illinois, Latvia, the Netherlands and Ukraine.
Gonzalez and the two others stole 130 million card numbers from Heartland, a bank-card payment processor, starting in December 2007, by using malicious computer software, according to the 14-page indictment. An undetermined number of card numbers were stolen from 7-Eleven and 4.2 million from Hannaford.
In response to the theft, 7-Eleven said it has been working with authorities for nearly two years.
“7-Eleven, Inc. has learned that federal authorities in New Jersey have indicted individuals for the theft of credit and debit card numbers in a computer hacking scheme targeting multiple retailers in a number of separate incidents over the last several years,” the Dallas-based company said in a statement to Convenience Store Decisions.
The company became aware in late 2007 that a security breach had occurred. “The affected transactions were limited to customers’ use of certain ATMs, owned and operated by a third party, located in 7-Eleven stores over a 12-day period from October 28, 2007, through November 8, 2007,” the company said. “Steps were immediately taken to contain the security breach and prevent any recurrence.”
Upon being notified of the breach, the card companies in accordance with their standard fraud response procedures then alerted the issuing financial institutions regarding the security breach. “Each financial institution made its own decision about what appropriate actions to take, including the issuance of new cards or putting card numbers on alert for fraud. These remedial measures were taken in late 2007 and early 2008,” the statement said.
Because this matter is pending, we are not providing further details, the chain concluded.
Targeted Fortune 500
In the latest case, the hackers scouted potential victims by reviewing a list of Fortune 500 companies and then visiting retail stores to identify the payment processing systems and their vulnerabilities, Newsday reported. They used malicious software known as malware and so-called injection strings to attack the computers and steal data, prosecutors said.
They installed “sniffer” programs to capture data “on a real-time basis” as it moved through the computer networks, and used instant messaging services to advise each other on how to navigate the systems, according to the indictment.
They also programmed malware to evade detection by anti-virus software and erase files that might detect its presence, prosecutors said.
Malicious Software Found
Heartland, based in Princeton, N.J., is used by 175,000 businesses at 250,000 locations. The company said Jan. 20 that it found “malicious software” in its processing system that hackers used to steal data in 2008.
At the time, that was believed to be the biggest single case of hacking private computer networks to steal credit card data, puncturing the electronic defenses of retailers including T.J. Maxx, Barnes & Noble, Sports Authority and OfficeMax, the Newsday report said.