Three men were indicted on federal charges in the largest computer hacking and identity theft case ever charged in the U.S. The defendants allegedly hacked into computer networks of major U.S. retail and financial organizations -- using a standard (and preventable) SQL injection attack that exploits a database when user input is not properly filtered -- and stole data related to more than 130 million credit and debit cards.
Albert Gonzalez, of Miami, along with two unnamed Russians, stands accused of hacking into Heartland Payment Systems, 7-Eleven, and Hannaford Bros. The stolen data was sent to computer servers that Gonzalez and his co-conspirators operated in California, Illinois, Latvia, the Netherlands, and Ukraine.
The hackers were also allegedly involved in the cracking of a Citibank-branded ATM network lcoated in 7-Eleven stores. The group penetrated a network linking 2,200 ATMs (by breaching a back-end system that had been outsourced by 7-Eleven) and stole card and PIN codes, using them to steal about $2 million in cash from Citibank ATMs. They also compromised prepaid iWire cards and withdrew about $5 million, which was sent to Russia.
Gonzalez is currently awaiting trial on charges that he and others allegedly also stole more than 40 million credit-card numbers from TJX and others, costing TJX $200 million.
According to the Justice Department, Gonzalez had been arrested in 2003, but not charged because he agreed to become an informant for the Secret Service.
See, "Three Indicted in Major Hacking Case," Wall St. Journal, August 17, 2009, at http://online.wsj.com/article/SB125053669921337753.html; "U.S. Indicts 3 in Theft of 130 Million Bank Cards," New York Times, August 17, 2009, at http://www.nytimes.com/2009/08/18/technology/18card.html; "Arrest in Epic Cyber Swindle," Wall St. Journal, August 18, 2009, at http://online.wsj.com/article/SB125053669921337753.html; "Hacker Indictments Highlight Application Security," InformationWeek, August 18, 2009, at http://www.informationweek.com/blog/main/archives/2009/08/hacker_indictme.html;jsessionid=2IV31GYNRMD3RQE1GHOSKHWATMY32JVN; "Cyber-thieves linked to Citibank ATM breach," Financial Times, August 24, 2009, at http://www.ft.com/cms/s/0/0e964e10-9046-11de-bc59-00144feabdc0.html.