It’s Official: At 130 Million Cards, Heartland Was Biggest Breach Ever

Stunning indictments announced on Monday by the U.S. attorney in New Jersey against three defendants for the first time reveal the number of credit and debit card numbers stolen in the Heartland Payment Systems Inc. data breach: 130 million. That confirms speculation that Heartland's was the biggest card hack ever. Further, the indictments allege that a Miami man currently behind bars for the earlier record breach at off-price retailer TJX Cos. is the mastermind behind several of the most notorious card-related computer hackings of recent years. If all of the new and older allegations prove true, Albert Gonzalez, 28, and his accomplices stole more than 174 million card numbers. “The scheme is believed to constitute the largest hacking and identity-theft case ever prosecuted by the U.S. Department of Justice,” says a release from Ralph J. Marra Jr., acting U.S. attorney in Newark. Gonzalez, a former federal informant about computer crime, currently is in a federal jail in Brooklyn, N.Y. He and 10 others were indicted a year ago in connection with TJX's or other hacks. Authorities arrested Gonzalez three months earlier in connection with a data breach at restaurant firm Dave & Buster's Inc. (Digital Transactions News, Aug. 6, 2008). Authorities said the TJX breach accounted for about 40 million card numbers, though one expert estimated the number at more than 90 million. The new indictment charges Gonzalez with one count of conspiracy involving computers and one count of conspiracy to commit wire fraud between October 2006 and May 2008. Convictions on both counts could lead to 35 years in prison and fines of $250,000 on the first count and $1 million or twice the ill gotten gain on the second. The feds also charged two unnamed alleged co-conspirators, “Hacker 1” and “Hacker 2,” both of whom “resided in or near Russia.” An unindicted co-conspirator called “P.T.,” who lived in Virginia Beach, Va., and Miami, also lent key support. An attorney for Gonzalez could not be reached for comment. Besides Heartland, the new indictments allege the hackers broke into the computer systems of supermarket chain Hannaford Bros. Inc., convenience-store chain 7-Eleven Inc., and two major national retailers identified only as “Company A” and “Company B.” The indictments say the Hannaford breach resulted in the theft of 4.2 million card numbers but don't give numbers for the 7-Eleven or Company A and B breaches. As they said a year ago, authorities reaffirmed Monday that Gonzalez and his partners were unusually sophisticated, first combing lists of Fortune 500 companies for possible victims and then scanning their Web sites to identify vulnerabilities. According to the indictment, Gonzalez and P.T. would go into stores of potential victims to assess their point-of-sale payment systems. The defendants reportedly leased or controlled servers in New Jersey, California, Illinois, Latvia, the Netherlands, and Ukraine. In carrying out the attacks, Gonzalez allegedly provided hackers 1 and 2 and P.T. with so-called SQL injection strings?a series of instructions to access computer databases?and malicious software (malware) that could gain unauthorized entry to corporate networks and then find, store and transmit card numbers. “Beginning on or about Dec. 26, 2007, Heartland was the victim of a SQL injection attack on its corporate computer network that resulted in malware being placed on its payment-processing system and the theft of more than approximately 130 million credit and debit card numbers and corresponding card data,” the indictment says. Company A was the victim of an SQL attack beginning on Oct. 23, 2007. Company B had a similar attack in January of 2008, 7-Eleven sustained one in August 2007, and Hannaford in early 2007. “The co-conspirators often worked together on a real-time basis, contacting each other by instant messaging as they were improperly accessing the corporate victims' computer systems,” according the release. “Once the target information was discovered, it would be stolen from the corporate victims' servers and placed onto servers controlled by Gonzalez and the co-conspirators. In addition to searching for credit and debit card data on the victims' computer systems, the indictment alleges that “Gonzalez and the co-conspirators installed 'sniffers,' which conducted real-time interception of credit and debit card data being processed by the corporate victims and subsequently stolen from the corporate victims' computer servers.” The hackers also reportedly took elaborate steps to conceal their work, including leasing computer platforms under false names, using more than one screen name (Gonzalez reportedly also was known as “segvec”, “soupnazi” and “j4guar17”), and using proxies to disguise the Internet Protocol addresses from which their attacks originated. They also are alleged to have tested their malware against about 20 different antivirus detection programs. While most of their work was in secret, the indictments further describe a series of “overt acts” by the defendants, including discussions over Internet messaging services related to the hackings. In a statement late Monday, Heartland chairman and chief executive Robert O. Carr said his company “would like to congratulate Department of Justice and Treasury officials on their effort to bring to justice some of the individuals behind numerous data breaches in recent years. The commitment and persistence shown by law enforcement and other stakeholders in this matter has been exemplary.” Gonzalez is scheduled to stand trial next month in Boston on the earlier charges, for which he faces possible life imprisonment if convicted.