An indictment was returned against three individuals who are charged with being responsible for five corporate data breaches, including the single largest reported data breach in U.S. history, the US Justice Department (DOJ) announced yesterday.
The indictment alleges that the co-conspirators hatched a scheme in which more than 130 million credit and debit card numbers together with account information were stolen from Heartland Payment Systems, Inc., based in Princeton, N.J., 7-Eleven, Inc., and Hannaford Brothers Co. In addition, two unidentified corporate victims were allegedly hacked by the co-conspirators.
According to the DOJ press release, between October 2006 and May 2008, Albert Gonzalez, 28, of Miami, Fla., acted with two unnamed co-conspirators to identify large corporations, often by scanning the list of Fortune 500 companies and exploring corporate websites. Upon identifying a potential victim, Gonzalez and his co-conspirators sought to identify vulnerabilities, both by physical observation and by online exploration.
The DOJ says that the alleged hackers would go to the retail locations of their potential victims in an attempt to identify the type of point-of-sale machines utilized by the victim companies. After reconnaissance of the computer systems was completed, information would be uploaded to servers which served as hacking platforms. These servers, located in New Jersey and around the world, were used by the co-conspirators to store information critical to the hacking schemes and to subsequently launch the hacking attacks.
Gonzalez was previously indicted in the Eastern District of New York on May 12, 2008, and the District of Massachusetts on August 5, 2008, for his involvement in different conspiracies relating to data breaches of companies such as TJX Companies, Dave & Busters, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW. He has been in jail since May 2008 when he was arrested in conjunction with hacking into Dave & Busters.
Gonzalez was also previously arrested in New Jersey in 2003 for his role in ATM and debit card fraud. However, the Wall Street Journal reports, Gonzalez wasn't prosecuted because he agreed to become an informant for the US Secret Service following his arrest.
If convicted, Gonzalez faces up to 30 years in prison on the wire fraud conspiracy charge and an additional five years in prison on the conspiracy charge, as well as a fine of $250,000 for each charge.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.