Albert Gonzalez Gets 20 Years for TJX / Heartland Breaches

Posted on April 2, 2010 by Gabriel M. Helmer

Last week was a tough week for Albert Gonzalez, the so-called "leader of the largest hacking and identity theft ring ever prosecuted by the U.S. government."  Gonzalez received a sentence of 20 years of imprisonment in two separate federal cases against him.  The hacker, known variously as "segvec," "soupnazi" and "j4guar17" pled guilty in the New Jersey and Massachusetts cases for his role as mastermind of the two largest financial data breaches ever, those involving TJX and Heartland Payment Systems. 

The federal court sentencing entries states that after Gonzalez serves his 240-month sentence, he will be subject to 3 years of supervised release, fines and substantial restitution, to be determined at hearings scheduled in June.  The Department of Justice press release (.pdf) details some of Gonzalez's activities, which included:

  • Wardriving: "driving around in a car with a laptop computer looking for unsecure wireless computer networks of retailers."
  • Installation of sniffer programs to capture credit and debit card numbers used at retail stores.
  • Selling credit and debit card numbers to others for fraudulent use.

The DOJ press release also indicates that while six of Gonzalez's co-conspirators have been captured (as far away as in Germany and Turkey), Gonzalez's activities may have compromised "tens of millions of credit and debit card numbers, affecting more than 250 financial institutions."

In January, we posted details from the debate during Gonzalez sentencing including his claim that he suffered from "internet addiction."  At that time, Gonzalez's attorneys requested a sentence of 15 years for his crimes. 

Tags: , , , , , ,

Incident of the Week: Declassified Documents Show FBI Expanding Data Mining Efforts Over 1.5 Billion Personal Records (And Counting)

Posted on September 24, 2009 by Gabriel M. Helmer

Declassified documents obtained (but not published) by WIRED Magazine indicate that the FBI has been hard at work expanding a database of Americans' personal and financial information.  According to WIRED, the FBI's National Security Branch Analysis Center (NSAC) has compiled a database of  "more than 1.5 billion government and private-sector records" and has been mining this database for use in criminal investigations. The data, which apparently has been obtained from a number of private companies, includes transaction records from hotels, rental car companies and retailers. [Note, that this database dwarfs the largest know data breach to date, which involved a mere 130 million records. One hopes that they have policies in place to prevent abuse.]  The records include:

  • International travel records of citizens and foreigners
  • Financial forms filed with the Treasury by banks and casinos
  • 55,000 entries on customers of Wyndham Worldwide, which includes Ramada Inn, Days Inn, Super 8, Howard Johnson and Hawthorn Suites
  • 730 records from rental-car company Avis
  • 165 credit card transaction histories from Sears
  • Nearly 200 million records transferred from private data brokers such Accurint, Acxiom and Choicepoint
  • 17,000 traveler itineraries from the Airlines Reporting Corporation

This program is picking up speed. Declassified documents obtained by WIRED apparently show that the FBI has 103 full-time employees and contractors devoted to the protect and has requested funding for 71 more.   Funding for the program has expanded from $47.5 million in 2007 to $78.7 million in 2008.  A U.S. Department of Justice document (.pdf) indicates that in 2009 alone, NSAC received 18 new employees and a more than $10 million increase in its budget.

This is not the first data mining project developed for the purposes of investigating terrorism and criminal activities.  In the wake of the September 11, 2001 attack, the U.S. government began development on a data mining project called "Total Information Awareness" or "TIA" which would analyze vast amounts of information regarding financial transactions, travel, health records and other types of customer data to detect terrorism and criminal activity.  The Defense Advanced Research Projects Agency (DARPA) and the Pentagon's short-lived Information Awareness Office was chiefly responsible for this project.  Based on concerns about the scope and privacy implications of the project, Congress pulled funding for the TIA program and shuttered the Information Awareness Office in September 2003. 

The current NSAC program makes it clear that the governments has not given up on efforts to use large-scale data mining in criminal investigations.  To many, however, the program implicate the same privacy concerns as TIA and should be subject to strict scrutiny and oversight.  In 2007, congressmen Brad Miller and James Sensenbrenner sent a letter (.pdf) to the Government Accountability Office asking them to look into the NSAC project. One year later, congressman Miller sent a second letter (.pdf) to the House Committee on Appropriations demanding that funding to NSAC be suspended until the FBI outlines the program's purpose and provides "a clear idea of how NSAC intends to ensure that the program complies" with privacy guidelines.  According to congressman Miller, the U.S. Department of Justice refused to provide any information on the FBI's plan for the program and what information they planned to obtain.  In addition, the FBI apparently told GAO officials that the NSAC program was "not yet 'operational'" in an April 3, 2008 meeting.  In contrast, documents obtained by WIRED apparently indicate that the NSAC data mining operations have been used in prosecuting a number of individuals.

Links:

Tags: , , , , , , , , , , ,