Could one master criminal turn out to have been the source of most credit union card security losses since 2007?
That is what last week’s federal indictment suggests.
The two-count indictment handed down in the U.S. District Court for New Jersey alleged that Albert Gonzalez and two Russian co-conspirators (named as Hacker 1 and Hacker 2) infiltrated and stole debit and credit card data from Heartland Payment Systems, 7-Eleven, Hannaford Brothers Co. and two national retailers named as “Company A” and “Company B.”
The U.S. Attorney’s Office said Company A and Company B were not identified in the indictment because they had not made their card security breaches public.
Gonzalez, a former informant with the U.S. Secret Service on computer hacking crimes, had already been indicted last year with other alleged co-conspirators for allegedly hacking into and stealing card data from the restaurant chain Dave and Busters and TJX, parent firm of several national retail chains. Jury selection in that case is expected to get underway next month.
Credit unions and other card issuers were particularly hurt by the Heartland, Hannaford, and TJX breaches. Acting U.S. Attorney for New Jersey, Ralph Marra, put the number of credit and debit accounts compromised in the crimes covered by the most recent indictment at more than 130 million.
“This investigation marks the continued success of law enforcement in tracking down cutting-edge hacking schemes committed by hackers working together across the globe,” said Marra. He added that the investigation was greatly facilitated by those companies that took a proactive approach in working with law enforcement to identify and stop hackers. “When companies make the decision to work with law enforcement and disclose a data breach at the earliest possible opportunity, it provides the best chance at apprehending a hacker and demonstrates that those corporate victims will actively defend their systems.”
The indictment alleged that between October 2006 and May 2008, Gonzalez acted with two unnamed conspirators to identify large corporations, often by scanning the list of Fortune 500 companies and exploring corporate Web sites. Upon identifying a potential victim, Gonzalez and his cohorts sought to identify vulnerabilities, both by physical observation and by online exploration, the government charged.
As an example, the indictment related an incident when Gonzalez and an individual identified as “P.T.” went to the retail locations of their potential victims in an attempt to identify the type of point-of-sale machines they used. After reconnaissance of the computer systems was completed, information was uploaded to servers, which became hacking platforms. These servers, located in New Jersey and around the world, were allegedly used by the conspirators to store information critical to the hacking schemes and to subsequently launch the hacking attacks.
The indictment added that the conspirators often worked together on a real-time basis, contacting each other by instant messaging as they were hacking corporate victims’ computer systems and indicated that the authorities actually had copies of those messages. Once Gonzalez and his accomplices discovered the targeted data, they stole it from the corporate victims’ servers and moved it to servers they controlled, the indictment charged.
In addition to searching for credit and debit card data on the victims’ computer systems, the indictment alleged that Gonzalez and the conspirators installed “sniffers,” which conducted real-time interception of credit and debit card data processed by the corporate victims and subsequently stolen from the corporate victims’ computer servers.
Reaction to the news of the Gonzalez indictment has been congratulatory and cautious.
“Heartland Payment Systems would like to congratulate the Department of Justice and Treasury officials on their effort to bring to justice some of the individuals behind numerous data breaches in recent years,” said Robert Carr, CEO of Heartland, perhaps the biggest alleged Gonzalez victim.
“The commitment and persistence shown by law enforcement and other stakeholders in this matter has been exemplary. Heartland looks forward to lending whatever support we can to this investigation as well as the broader fight against global cyber criminals,” he added.
Chuck Cashman, director of product management for CUNA Mutual Group wondered how Gonzalez managed to allegedly commit these crimes since, at least in the beginning, he had been an informant for the Secret Service in its investigation of a complex web of selling compromised card data called Shadowcrew.
“Clearly, somebody was not keeping a close enough eye on this guy,” Cashman said.
Steve Ruwe, former security executive with Visa USA and now chief risk officer for PSCU Financial Services, and Eric Laykin, managing director for Duff and Phelps, a financial advisory and investment banking firm, agreed that credit unions should not become complacent about the risks in the face of the Gonzalez indictment.
Laykin said the capture, while a good sign of the seriousness with which federal law enforcement had begun to treat this sort of fraud, also pointed out the strength of what he called a “black cottage industry” in trading compromised card data.
“We have to assume by now that there are people all over the world who have been learning from these guys how to do this,” Laykin said. “They apprentice to each other and learn how to make this work,” he added.
Ruwe also praised the investigation but noted that there will still always be a battle between card issuers and thieves over technology. He said that a number of years will likely have passed by the time Gonzalez goes to trial for the Heartland charges and by that time the technology he used may be old hat. “Look at your cell phone,” Ruwe said, “how much is that changing model to model and year to year?”
It is not yet clear that Gonzalez has an attorney for last week’s indictment.
�—dmorrison@cutimes.com