Former Secret Service informant named in 'largest credit card data breach ever'
Today, the US Department of Justice announced that a 28-year-old hacker and former Secret Service informant named Albert Gonzales is being indicted for the third and, by far, the largest crime of his short career: participation in the theft of more than 130 million credit and debit card mag-strip data dumps, in attacks between 2006 and 2008.
Gonzales was already in federal custody for several major data breaches. He faces trial in New York next month for the first, which involved hacking restaurant Dave and Busters' payment system. Then the second case will be heard in Boston in 2010 for Gonzales' involvement in the theft of data off of more than 40 million credit card mag-strips from OfficeMax, Barnes & Noble, BJ's Wholesale Club, and many more.
Just after his arrest, then-Attorney General Michael Mukasey said, "So far as we know, this is the single largest and most complex identity theft case ever charged in this country."
But a statement from the Department of Justice today one-ups that notorious achievement: "The indictment, which details the largest alleged credit and debit card data breach ever charged in the United States, alleges that beginning in October 2006, Gonzales and his co-conspirators researched the credit and debit card systems used by their victims; devised a sophisticated attack to penetrate their networks and steal credit and debit card data; and then sent that data to computer servers they operated in California, Illinois, Latvia, the Netherlands and Ukraine. The indictment also alleges Gonzales and his co-conspirators also used sophisticated hacker techniques to cover their tracks and to avoid detection by anti-virus software used by their victims."
Among the victims listed by the DOJ are Heartland Payment Systems, the sixth largest credit card processor in the United States; national convenience store chain 7-Eleven; and Hannaford Bros. Supermarkets.
Earlier this year, Heartland Payment Systems announced that it was the victim of a massive compromise, but President and CFO Robert Baldwin said, "Our discussions with the Secret Service and Department of Justice give us a pretty good indication that this is part of a group that appears to have done security breaches at other financial institutions."
The case is being overseen by the US Secret Service, and will be heard in US District Court in New Jersey. There, Gonzales will be indicted on charges of conspiracy and conspiracy to engage in wire fraud.
Gonzales allegedly used SQL injections to put "sniffers" on in-store computers which would then capture credit card numbers and account information. This information could then be put on blank cards to drain user accounts of all their cash, or sold on the black market. He already faces life in prison in the Boston case.