A federal grand jury has indicted a Miami man and two Russian hackers for their involvement in an international scheme to steal more than 130 million credit and debit card numbers from five companies.
The indictment alleges the men conspired to conduct the largest credit and debit card data breach ever charged in the United States.
The Department of Justice issued a statement today about the indictment, which accuses Albert Gonzalez, 28, and two unnamed Russian citizens of stealing data from Heartland Payment Systems Inc., 7-Eleven Inc. and Hannaford Brothers Co. Two other companies remain unnamed because their breaches have not been made public, the DOJ said.
The two-count indictment alleges conspiracy and conspiracy to engage in wire fraud. Gonzales, AKA "segvec," "soupnazi" and "j4guar17," is charged, along with two unnamed co-conspirators, with using a SQL injection attack, to bypass company network firewalls to steal credit and debit card information.
The indictment alleges that beginning in October 2006, Gonzales and the two Russian hackers researched the credit and debit card systems used by the companies. They then developed a plan to attack and penetrate their networks to steal the data. Once the data was retrieved, it was sent to computer servers they operated in California, Illinois, Latvia, the Netherlands and Ukraine. Prosecutors said the trio also used a number of techniques to hide their activity, including testing their malware against top antivirus products to evade detection and programming the malware to delete its tracks on victim networks.
If convicted, Gonzales faces up to 20 years in prison on the wire fraud conspiracy charge and an additional five years in prison on the conspiracy charge, as well as a fine of $250,000 for each charge.
Gonzalez, who is currently in federal custody, was indicted in the Eastern District of New York in May 2008 in the data security breach at 11 Dave & Busters restaurants.
That indictment also names two other men, Maksym Yastremskiy of Kharkov, Ukraine, and Aleksandr Suvorov of Estonia with wire fraud, computer fraud, aggravated identity theft, and other crimes in connection with the scam, which occurred in 2007. Yastremskiy and Suvorov allegedly gained unauthorized access to the point-of-sale servers at each restaurant and installed a packet sniffer designed to capture Track 2 data as it moved from the POS servers to the computer system at the restaurant's headquarters and a data processor's network. Trial is scheduled to begin in Long Island, N.Y., in September 2009, the DOJ said.
The District of Massachusetts also has pending charges against him for his role in the data breaches at TJX Companies, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW. Trial on those related charges is scheduled to begin in 2010.