On August 17th, the federal district court in New Jersey returned an indictment against the individuals responsible for five corporate data breaches, including the largest reported breach in U.S. history. The individuals, Albert Gonzalez and two unnamed Russian co-conspirators, are alleged to have carried out a sophisticated attack in which they stole more than 130 million credit and debit card numbers from Heartland Payment Systems, 7-Eleven and Hannaford Brothers and also hacked two other unidentified corporations. Mr. Gonzalez, who supposedly called his credit card theft ring “Operation Get Rich or Die Tryin”, has also been accused of carrying out the TJX breach.
The indictment alleges that Gonzalez and his co-conspirators launched SQL-injection attacks, using the programming language designed to retrieve and manage data (Structured Query Language or SQL) to gain unauthorized access to the corporations' computer networks. The attacks resulted in malware being placed on the networks that could be used to locate, store and transmit credit and debit card numbers and data and enabled "back door" access to the networks at later dates. The indictment further alleges that "sniffer" programs were installed that could capture and transfer credit and debit card data on a real-time basis as the information moved through the processing networks.
Gonzalez and his co-conspirators had allegedly identified potential victims by reviewing a list of Fortune 500 companies, visiting retail stores and websites to identify the payment processing systems used. From their research they attempted to understand the potential vulnerabilities of the systems in order to plan their attack.
The timing of the indictments was critical, since (according to comments by his attorney) a plea agreement was about to be reached between Gonzalez and federal prosecutors in Massachusetts and New York that would have possibly ended all active investigations. Further negotiations on that plea agreement now appear to have been halted in light of the new indictment.
Another significant facet of these data hacks is the other civil lawsuits that resulted from them. The class action against TJX Cos. for its data breach resulted in a costly $178 million settlement with the financial institution plaintiffs. A number of lawsuits by financial institutions and several consumer class actions have now been filed against Heartland since the announcement of the breach.