The Justice Department yesterday announced indictments against three hackers thought to be involved in a data theft affecting 130 million credit and debit card accounts, reportedly the largest breach of financial information ever perpetrated in the U.S.
All three are charged with two counts of the following: conspiracy to gain unauthorized access to computers, to commit fraud in connection with computers and to damage computers; and conspiracy to commit wire fraud. Each defendant faces a maximum of 35 years in prison and more than $1 million in fines or twice the monetary gain resulting from the offenses, whichever is greater, The Washington Post reports.
The details of the case provide insight into the complexity of cyber attacks, how criminal hackers operate, and the extent of the problem. One of those indicted includes 28-year-old Miami resident Albert Gonzalez, who also goes by the aliases "segvec," "soupnazi" and "j4guar17." Gonzalez has a long history of committing computer crimes, and even pulled off this mother-of-all computer break-ins while serving as a confidential government informant.
Law enforcement says that beginning in October 2006 Gonzalez and two other unnamed co-conspirators found ways around computer security that afforded them access to the computer systems of a number of businesses, including Heartland Payment Systems, a Princeton, N.J.–based card payment processor. After penetrating these systems, the hackers allegedly stole credit and debit card data, and then covered their tracks by sending that data to computer servers that the team operated in California, Illinois, Latvia, the Netherlands and Ukraine.
During this time, Gonzalez was working both sides of the law, since he had served as a confidential informant to the U.S. Secret Service following his arrest in 2003 for credit card fraud in another case, the Post reports. As an informant, he participated in "Operation Firewall," helping the Justice Department, Secret Service and other law enforcement organizations in 2004 bust 30 or so members of an online network used to buy and sell stolen personal and financial data.
Gonzalez's cyber rap sheet is a long one. In May 2008, the U.S. Attorney's Office for the Eastern District of New York charged Gonzalez for his alleged role in the hacking of a computer network run by a national restaurant chain. Massachusetts prosecutors have likewise indicted Gonzalez and others for a number of hacks affecting eight major retailers—including T. J. Maxx, Barnes & Noble, BJ's Wholesale Club, Boston Market, DSW, Forever 21, Office Max and Sports Authority. The resulting theft of data related to 40 million credit and debit cards, the Post reports. (Gonzalez has pled not guilty to those charges and will go on trial for them next year.)
Prior to the Heartland Payment Systems break-in, the data breach case involving these retailers had been the largest data breach case in U.S. history. This means that if Gonzalez is found guilty in both cases, he will have been a key player in the U.S.'s two largest data heists.
Gonzalez and his co-conspirators in the earlier case stole credit and debit card numbers after breaking into the retailers' wireless networks via a technique known as "wardriving," the practice of using a laptop, antenna and global positioning system to detect wireless access points and determine how they're configured. Once inside the networks, the hackers installed "sniffer" programs to capture card numbers, passwords and account information, as they were processed through the retailers' credit and debit processing networks.
These cyber crimes have cost Heartland $32 million and TJX (the parent company of T. J. Maxx, Marshalls and other retailers) more than $200 million thus far, according to filings the companies have made with the U.S. Securities and Exchange Commission.
Image ©iStockphoto.com/ Mike Cherim