Federal indictments were handed down in Washington, D.C. on Monday against three men accused of involvement in what the U.S. Department of Justice (DoJ) is calling the largest credit- and debit-card data breach in the United States.
The men allegedly used sophisticated techniques to bypass network firewalls and penetrate the databases of several large companies, including Heartland Payment Systems, a card-payment processor; 7-Eleven, the nationwide convenience store chain; and Hannaford Brothers, a supermarket chain. The personally identifiable information (PII) of more than 130 million credit and debit card holders is believed to have been stolen.
Albert Gonzalez, 28, of Miami, aka "segvec,” “soupnazi” and “j4guar17,” along with two unnamed co-conspirators, Hackers 1 and 2, residing in or near Russia, were charged with conspiracy and conspiracy to engage in wire fraud. The hackers are accused of using SQL injection attacks to get around the victims' firewall to gain access to computers connected to the internet.
The indictment states that between October 2006 and May 2008, in Mercer and Morris counties, New Jersey, and elsewhere, the defendants "did knowingly and intentionally conspire and agree with each other...and others to commit offenses against the United States."
There are two counts to the charges: Conspiracy to gain unauthorized access to computers, to commit fraud in connection with computers and to damage computers, and conspiracy to commit wire fraud. Each defendant faces a maximum of 35 years in prison, as well as more than $1 million in fines.
Gonzalez and his co-conspirators researched the credit and debit card systems used by their victims and then devised a sophisticated attack to penetrate their networks, according to the indictments. This involved placing SQL injection strings on victims' networks and programming the code to "identify, store and export information on computers that were hacked, including information such as credit and debit card numbers and corresponding personal identification information of cardholders." The hackers were then able to steal credit and debit card data and transmit that data to servers they controlled in California, Illinois, Latvia, the Netherlands and Ukraine.
Gonzalez is already in federal custody for his alleged role in hacks of eight major retail chains – TJX, which owns T.J. Maxx; Barnes & Noble; BJ's Wholesale Club; Boston Market; DSW; Forever 21; Office Max and Sports Authority – involving the theft of data related to 40 million credit cards. He is scheduled to go up on those charges in 2010. He has pleaded not guilty in that case.
A conviction on the wire-fraud conspiracy charge would place Gonzalez in prison for up to 20 years. The conspiracy charge carries a five-year sentence, and fines of $250,000 for each charge.
The good news is that people are getting indicted, Upesh Patel, VP, business development at Waltham, Mass.-based Guardium, a vendor of safeguards for application and database infrastructure, told SCMagazineUS.com on Tuesday. "Our security industry is fighting. We now have an avenue to funnel our concerns."
The fact that this indictment is attracting attention in the mainstream media underscores that corporations are realizing that the database is where the crown jewels are, Patel said. The lesson to be learned here, he said, is that corporations must put a set of controls in place to monitor and secure their data.
It is no longer enough to rely merely on compliance and audits, said Patel. "The breach at Heartland could have been prevented if controls had been put in place to monitor in real time any changes taking place with the configuration files on their network. Nobody would be able to install a trojan," he said.
Others are not so sure that this indictment spells the end of data breaches.
"It may be comforting to some that the central figure behind several major data breaches has been indicted and faces decades of prison time," Michael Maloof, CTO at Post Falls, Idaho-based TriGeo Network Security, told SCMagazineUS.com in an email on Tuesday. "Unfortunately, the indictment will have little effect on the highly lucrative market for credit card and identity information."
Though Maloof sees the indictment as a positive step, he cautions that this is still a work in progress.
"We can celebrate that a small team of hackers has been taken down, and that there's increased cooperation internationally, but I wouldn't pop the champagne just yet," he said.
“With the news of the indictment on the Heartland breach dominating the headlines, even the most non-technical among us are again made aware of how vulnerable web applications can be," Steve Moyle, founder and CTO of New York-based Secerno, a vendor of active database controls, told SCMagazineUS.com in an email on Tuesday. "What Heartland points to is the need for data to be protected at all times, including when stored on a database, because it will always be under siege."
Companies need to know every interaction being done with their stored data, both from people inside and outside the company, Moyle said. "Before we get dazzled by the numbers of Heartland, we should remember that it can – and will – happen again.”
TriGeo's Maloof adds that the actual number of credit cards that were stolen and sold is still not known. "We may still be facing a tsunami of credit card fraud if there's any truth to the speculation that as many as 100 million cards may have been compromised," Maloof said.