According to a press release from the United States Attorney’s Office for the District of New Jersey, yesterday an "indictment was returned against three individuals who are charged with being responsible for five corporate data breaches, including the single largest reported data breach in U.S. history." According to the press release, the indictment describes a scheme whereby Albert "Segvec" Gonzalez and two unnamed Russian defendants (identified as "Hacker 1" and "Hacker 2") stole "more than 130 million credit and debit card numbers together with account information" from Heartland Payment Systems, 7-Eleven, Inc., and Hannaford Brothers Co.," and also hacked into two unidentified corporate victims.
Note that this is the same Albert Gonzalez that is awaiting trial for his role in the notable attack suffered by TJX that is now only the second largest known breach of its kind.
The indictment alleges that, between October 2006 and May 2008, Gonzales and an uncharged co-conspirator named "P.T." identified potential corporate victims by, among other things, reviewing a list of Fortune 500 companies. They would then travel to retail stores of potential victims to identify point of sale terminals (checkout machines) and learn about potential vulnerabilities of those systems. P.T. would visit the corporate websites of potential victims to identify vulnerabilities in the payment processing systems the victims used. According to the indictment, the conspirators maintained computers in New Jersey and around the world that stored malware and other information critical to the hack. Gonzalez, P.T. and Hackers 1 and 2 then hacked into the victims’ networks using various methods, including SQL injection attacks, which is a well-known attack that exploits security vulnerabilities between an online interface and the back-end customer database.
Once they had hacked into the computer networks, the conspirators placed malware on the victims’ networks that enabled them to access the networks at a later date. They would then find credit and debit card data and transmit it to servers they controlled. At the same time, they installed "sniffer" programs, which would conduct real-time interception of data being processed by the victims and periodically transfer this data to the conspirators. The indictment alleges that the conspirators often worked together on a real-time basis via instant messaging to advise each other how to navigate the victims’ networks. The conspirators concealed their actions in numerous ways, including disguising the IP addresses of their computers through intermediary (or "proxy") servers, and by placing additional malware on the victims’ networks that could evade anti-virus software and would erase traces of the malware’s presence on the networks.
Each defendant faces a maximum of 35 years in prison and more than $1 million in fines or twice the gain from the crimes, whichever is greater. According to the press release, Gonzalez is currently in jail in Brooklyn, New York and awaiting trial in New York and Massachusetts related to prior instances of data theft.
While it is certainly good to know that the Department of Justice continues to take an active role in large-scale incidents, the description of the scheme in the indictment should give retailers and other institutions pause and perhaps a reason to review information security measures. While the perpetrators in this case are obviously skilled programmers, it appears that they obtained some of the information essential to executing their scheme simply by observing check out registers and visiting corporate websites. [Editor’s note: the FTC has considered SQL injection attacks to be "commonly known or reasonably foreseeable" since at least 2000, see FTC’s enforcement action against Guess? and comments by the FTC’s chief privacy officer. If your company has not hardened its website to these attacks, it may be assuming an undue risk.] Moreover, it appears from the indictment that three of the four individuals are still at large, and of course there are likely numerous individuals out there with both the means and the motive to perpetrate similar schemes. Because the indictment is fairly general in the details of the mechanics of the hacks, it will be interesting to see what details come out in the prosecution of the case and what lessons, if any, companies can learn from those details.
- "Three Men Indicted for Hacking into Five Corporate Entities, including Heartland, 7-Eleven, and Hannaford, With Over 130 Million Credit and Debut Card Numbers Stolen", August 17, 2009 Press Release from New Jersey United States Attorney’s Office
- Indictment Against Albert Gonzalez, Hacker 1 and Hacker 2