The former record theft of 45 million credit card numbers has been topped. Three hackers face charges for stealing over 130 million credit and debit card numbers via malware and an SQL injection attack on corporate servers. The head honcho now faces 20 years in prison.
A Florida man may have busted the world record for consumer data theft after allegedly stealing 130 million credit and debit card numbers. The US Department of Justice announced Monday afternoon that 28-year-old Albert Gonzales and two co-conspirators had been indicted for conspiracy. If true, Gonzales and gang may have beaten the credit card theft high score of 45 million accounts nearly three times over.
Gonzales, going by the online name of "segvec," and his two buddies (soupnazi and j4guar17, in case you were wondering) allegedly began researching the credit card systems used by various companies in October of 2006 and devised the attack to steal the data in question. The team chose an SQL injection exploit to get around corporate firewalls to steal credit and debit information. Their success had led to charges of conspiracy to hack into certain retail and financial organizations, as well as conspiracy to commit wire fraud.
It appears that, in many cases, they succeeded—according to the DoJ, the team successfully jacked 130 million card numbers and transmitted them to servers in California, Illinois, Latvia, the Netherlands, and Ukraine. Some of the companies affected by the attack include convenience store chain 7-Eleven, Heartland Payment Systems (a credit card processor), and Hannaford Brothers Co. (a supermarket chain).
The DoJ describes the incident as "the largest alleged credit and debit card data breach ever charged in the United States." Indeed, before today, the former high score was represented by the scarlet letter on TJX's forehead, parent company of retailer T.J. Maxx. That data breach involved "at least" 45.7 million credit and debit card numbers that occurred between mid-2005 and early 2007, as well as various points in 2003 and 2004. The theft of such a massive amount of data occurred, unsurprisingly, due to glaring security holes in the computer systems that process and store payment information.
Gonzales' success came for similarly stupid reasons. Heartland Payment Systems, one of the companies victimized, revealed earlier this year that it may have leaked up to 100 million credit and debit accounts onto the black market due to malware in its system. It turns out that one of the systems in the payment processing chain had been infected with an unidentified bit of malware designed to track and report the magnetic information stored on the back of a credit card as that data was sent through the system. Though Heartland said that no personally identifiable information was transmitted, that magnetic data could easily be transferred to a new physical card.
Gonzales is facing up to 20 years in prison, and isn't likely to win over any sympathy points on this one, either. As it turns out, he is already in federal custody thanks to a previous incident wherein he supposedly hacked the network for a major restaurant chain in May of 2008. Additionally, in August of 2008, Gonzales was indicted for a series of other retail hacks that affected eight major retailers and the theft of 40 million more credit card numbers. "The charges announced today relate to a different pattern of hacking activity that targeted different corporate victims and involved different co-conspirators," explained the DoJ. Given Gonzales' history, it seems that 130 million credit and debit cards may just be the tip of the iceberg.
Source: ars technica