A Miami hacker, along with two others "in or near Russia," was indicted for conspiring to steal approximately 130 million credit and debit card numbers. The group's sophisticated attacks targeted Heartland Payment Systems, Inc. along with large retailers including 7-Eleven, the Hannaford Brothers grocery store chain and two unnamed corporate victims.
According to the indictment, 28 year old Albert Gonzalez (aka "soupnazi," "segvec," and "j4guar17") orchestrated a coordinated operation which scouted victim companies and proceeded to hack their way to more than 130 million card numbers. A vast majority of those numbers came from Heartland Payment Systems, a national credit card processing company. According to Wired, the group captured credit card numbers, expiration dates, and in 20% of cases, the cardholder's name.
Gonzalez faces up to 35 years in prison.
According to his indictment, Gonzalez played a primary role in a vast scheme to infiltrate victim companies, steal credit and debit card information, and leave "sniffers" within victim systems so that the group's programs could continue sending credit card info to the hackers. The DOJ described the group's work as highly sophisticated, using malware to prevent detection and disable host systems' anti-virus software.
Gonzalez is by no means a new acquaintance of authorities. According to the Miami Herald, in this round of heists, his group shattered his own record for card numbers allegedly stolen. In 2008, Gonzalez was indicted for allegedly stealing approximately 40 million card numbers retailers including TJ Maxx, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.
In that operation, Gonzalez and his crew allegedly got into victim company networks by cruising Miami's busy U.S. Hwy 1, scanning big box retailers' wireless networks for vulnerabilities.
And the kicker... before the 2007 arrest he was a Secret Service informant. According to the Miami Herald, after being busted in 2003 for credit card theft in New Jersey, he avoided conviction by becoming an informant. The government authorized his move to Florida, where he allegedly quickly began operating again.
- The Indictment (FindLaw's Courtside)
- Profile of a hacker: How the "soupnazi" did it (Salon)
- Heartland Payment Data Breach Draws Class Action Lawuit (FindLaw's Common Law)
- Heartland data breach sparks security concerns in payment industry (Computer World, January 2009)
- Theft (provided by Brucar and Yetter PC)
- Protecting Against Identity Theft (provided by Cirignani Heller & Harman LLP)