Numerous companies have been identified as victims of a nearly seven-year-long hacking operation that resulted Wednesday with the indictment of five more individuals.
The defendants conspired with others, including infamous hacker mastermind Alberto Gonzalez, who in 2010 began serving a 20-year prison sentence for his role in a number of the breaches, including Heartland Payment Systems, TJX and Hannaford Bros.
But even after he was sentenced, the attacks continued. An indictment unsealed on Thursday by federal prosecutors in New Jersey provides additional information about how the defendants gained entry into the organizations, and how much they stole. Global Payments, for example, has remained mum about how attacks on its systems occurred, but the indictment indicates that hackers were able to leverage SQL injection to establish access.
The 17-company list underscores the challenges major organizations still face in warding off attacks that take advantage of the age-old vulnerability of SQL injection.
- NASDAQ – U.S. electronic stock market – Beginning May 2007 – SQL injection attack resulting in malware on network and theft of login credentials.
- 7-Eleven – Convenience store franchise – Beginning August 2007 – SQL injection attack resulting in malware on network and theft of undetermined amount of card numbers.
- Carrefour S.A. – French multinational retailer – Beginning October 2007 – Computer networks breached and approximately two million credit card numbers acquired.
- JCPenney – National retailer – Beginning October 2007 – SQL injection attack that resulted in malware on network.
- Hannaford Bros. Co. – Regional supermarket chain – Beginning November 2007 – SQL injection attack resulting in malware on network and theft of approximately 4.2 million card numbers.
- Heartland Payment Systems, Inc. – Credit and debit card payment processing company – Beginning December 2007 – SQL injection attack resulting in malware on network, theft of 130 million card numbers and losses of approximately $200 million.
- Wet Seal – National retailer – Beginning January 2008 – SQL injection attack resulting in malware on network.
- Commidea Ltd. – Electronic payment and transaction processing company – Beginning March 2008 to around November 2008 – Malware found on networks, and approximately 30 million card numbers acquired.
- Dexia Bank Belgium – Consumer bank – Beginning February 2008 to around February 2009 – SQL injection attacks resulting in malware on network, theft of undetermined amount of card numbers and approximately $1.7 million in losses.
- JetBlue Airways – Airline – Beginning January 2008 to around February 2011 – Unauthorized intrusion resulting in malware on portions of the network that stored personal data of employees.
- Dow Jones – Publishing and financial information firm – Beginning 2009 – Unauthorized access to network resulting in malware on network and theft of approximately 10,000 sets of login credentials.
- “Bank A” – Leading domestic bank in United Arab Emirates – Beginning December 2010 to around March 2011 – Malware placed on networks and used to facilitate theft of card numbers.
- Euronet – Electronic payment and transaction processing company – Beginning July 2010 to around October 2011 – SQL injection attacks resulting in malware on network and theft of approximately two million card numbers.
- Visa – Global payments brand – Beginning February 2011 to around March 2011 – SQL injection attacks resulting in malware on network and theft of approximately 800,000 card numbers. The attack reportedly impacted Visa's licensee, Visa Jordan.
- Global Payment Systems – Electronic transaction processing company – Beginning January 2011 to around March 2012 – SQL injection attacks resulting in malware on payment processing system, theft of more than 950,000 card numbers and losses of approximately $92.7 million.
- Discover Financial Service – financial services company – Beginning June 2011 – SQL injection attack resulting in malware on network, theft of more than 500,000 credit cards and losses of approximately $312,000.
- Ingenicard US – international electronic cash card provider – Beginning March 2012 to around December 2012 – SQL injection attacks resulting in malware on network and theft of undetermined amount of card numbers, later used to withdraw more than $9 million within 24 hours.
