Indictments announced in Heartland and other breaches

By Greg Masters

June 18, 2010 Updated Aug 18, 2009 at 12:32 PM EDT

Federal indictments were handed down in Washington, D.C. on Monday against three men accused of their involvement in what the U.S. Department of Justice (DoJ) is calling the largest credit- and debit-card data breach in the United States. The men allegedly used sophisticated techniques to bypass network firewalls to penetrate the databases of several institutions, including Heartland Payment Systems, a card-payment processor; 7-Eleven, the nationwide convenience store chain; and Hannaford Brothers, a supermarket chain. The personally identifiable information (PII) of more than 130 million credit and debit card holders is believed to have been stolen. Albert Gonzalez, 28 years old, of Miami, aka "segvec,” “soupnazi,” and “j4guar17,” and two unnamed co-conspirators, Hackers 1 and 2, residing in or near Russia, were charged with conspiracy and conspiracy to engage in wire fraud and accused of using SQL injection attacks, a sophisticated hacking technique which tries to find a way around a computer network's firewall to gain access to computers connected to the internet. According to the indictment, SQL injection strings, "a series of instructions to computers used by hackers in furtherance of SQL injection attacks," were placed on victims' networks and programmed to identify, store and export information on computers that were hacked, including information such as credit and debit card numbers and corresponding personal identification information of cardholders..." In a release, the DoJ states that Gonzalez and his co-conspirators researched the credit and debit card systems used by their victims and then devised a sophisticated attack to penetrate their networks and steal credit and debit card data. They then transmitted that data to computer servers they controlled in California, Illinois, Latvia, the Netherlands and Ukraine. The indictment states that between Oct. 2006 and May 2008, in Mercer and Morris Counties, New Jersey, and elsewhere, the defendants "did knowingly and intentionally conspire and agree with each other...and others to commit offenses against the United States." There are two counts to the charges: Conspiracy to gain unauthorized access to computers, to commit fraud in connection with computers, and to damage computers, and conspiracy to commit wire fraud. Each defendant faces a maximum of 35 years in prison, as well as more than $1 million in fines. Gonzalez is already in federal custody for his alleged role in hacks of eight major retail chains – TJ Maxx, Barnes & Noble, BJ's Wholesale Club, Boston Market, DSW, Forever 21, Office Max and Sports Authority – involving the theft of data related to 40 million credit cards. He is scheduled to go up on those charges in 2010. He has pleaded not guilty in that case. A conviction on the wire-fraud conspiracy charge would place Gonzalez in prison for up to 20 years. The conspiracy charge carries a five-year sentence, and fines of $250,000 for each charge. The good news is that people are getting indicted, Upesh Patel, VP, business development at Waltham, Mass.-based Guardium, a vendor of safeguards for application and database infrastructure, told SCMagazineUS.com on Tuesday. "Our security industry is fighting. We now have an avenue to funnel our concerns." The fact that this indictment is attracting attention in the mainstream media underscores that corporations are realizing that the database is where the crown jewels are, Patel said. "And they need to put a set of controls in place to monitor and secure that." It is no longer enough to rely merely on compliance and audits, said Patel. "The breach at Heartland could have been prevented if controls had been put in place to monitor in real time any changes taking place with the configuration files. Nobody would be able to install a trojan," he said. Others are not so sure that this indictment spells the end of these attacks. "It may be comforting to some that the central figure behind several major data breaches has been indicted and faces decades of prison time," Michael Maloof, CTO at Post Falls, Idaho-based TriGeo Network Security, told SCMagazineUS.com in an email on Tuesday. "Unfortunately, the indictment will have little effect on the highly lucrative market for credit card and identity information. It's unlikely to have much impact on the businesses that still believe that a major data breach can't happen to them, and there's no sign that regulations will change to address known weaknesses." While Maloof sees the indictment as a positive step, he cautions that this is still a work in progress. "We can celebrate that a small team of hackers has been taken down, and that there's increased cooperation internationally, but I wouldn't pop the champagne just yet." The actual number of credit cards that were stolen and sold is still not known, he said. "We may still be facing a tsunami of credit card fraud if there's any truth to the speculation that as many as 100 million cards may have been compromised."

What are your thoughts CLICK HERE to leave us a "QUESTION OF THE DAY” comment.

© Copyright 2016, A Quincy Media broadcasting station. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

To submit a comment on this article, your email address is required. We respect your privacy and your email will not be visible to others nor will it be added to any email lists.