Over 130 Million Credit Card Numbers Stolen

2009-08-19

A man was indicted on Monday in what is reported to be the 'largest case of credit and debit card data theft ever in the United States'.

Devlin Barrett, The Associated Press, is reporting that Albert Gonzalez, a former informant for the U.S. Secret Service, had been working with criminals and providing them with information on the agency's ongoing investigations - even warning the criminals in some cases. Prosecutors say that Gonzalez worked with other unnamed suspects to steal private information with the intention of selling it to others.

Barrett writes that prosecutors say Gonzalez, who is known online as "soupnazi", targeted customers of convenience store giant 7-Eleven Inc. and supermarket chain Hannaford Brothers, Co. Inc. He also targeted Heartland Payment Systems, a New Jersey-based card payment processor. Heartland processes around 100 million transactions per month for around 250,000 merchants and has so far allocated $12.6 million to cover costs stemming from the loss of sensitive card holder data.

Robert Carr, Heartland CEO, stated "We are in a cyber crimes arms race, and we need to stay ahead of the bad guys who never rest and do not call committee meetings to update their malicious tools and attack vectors."

Dan Goodin, The Register, reports that documents filed in the U.S District Court in Newark, New Jersey claim that Gonzalez and three unidentified individuals cased the latest victims by visiting their storefronts and websites to identify the point-of-sale programs and web applications they used. Then used SQL injection attacks to install sniffer software to intercept credit card data as it was being processed. The indictment shows that they tried to cover their tracks by using proxy servers to hide their real IP addresses and used up to 20 different anti-virus programs to ensure that none of them detected the malware used during the scheme.

Gonzalez had already been in jail when he was indicted on Monday, awaiting trial for his involvement in the TJX Companies security breach, which exposed more than 46.5 million card details. Prosecutors believe Gonzalez was the 'ringleader of the hackers' in that case for which he is facing a possible life sentence if convicted.

For this latest case, each individual involved could be charged with two felony counts each for conspiracy to commit wire fraud and conspiracy to gain unauthorized access to computers to commit fraud in connection with computers, and to damage computers. They each face a maximum of 35 years in prison and $1.25 million in fines.

More about the effect on Heartland Payment Systems can be read here. The full article by the Associated Press is available here.