Article

Three indicted for Hannaford, Heartland data breaches

SearchSecurity.com Staff

    Requires Free Membership to View

    Login

SearchSecurity.com:
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

A federal grand jury has indicted a Miami man and two Russian hackers for their involvement in an international scheme to steal more than 130 million credit and debit card numbers from five companies.

The indictment alleges the men conspired to conduct the largest credit and debit card data breach ever charged in the United States.

The Department of Justice issued a statement today about the indictment, which accuses Albert Gonzalez, 28, and two unnamed Russian citizens of stealing data from Heartland Payment Systems Inc., 7-Eleven Inc. and Hannaford Brothers Co. Two other companies remain unnamed because their breaches have not been made public, the DOJ said.

The two-count indictment alleges conspiracy and conspiracy to engage in wire fraud. Gonzales, AKA "segvec," "soupnazi" and "j4guar17," is charged, along with two unnamed co-conspirators, with using a SQL injection attack, to bypass company network firewalls to steal credit and debit card information.

Defend against SQL Injection:
New defenses for automated SQL injection attacks: By automating SQL injection attacks, hackers have found a way to expedite the process of finding and exploiting vulnerable websites.

New wave of SQL injection attacks alarm researchers: Researchers are uncovering a wave of SQL injection attacks, suggesting that attackers are finding it easy to compromise new targets.

Fuzzing tool helps Oracle DBAs defend against SQL injection: A new open source fuzzing tool is available to test PL/SQL applications for security vulnerabilities. The free tool was developed by database security vendor Sentrigo.

The indictment alleges that beginning in October 2006, Gonzales and the two Russian hackers researched the credit and debit card systems used by the companies. They then developed a plan to attack and penetrate their networks to steal the data. Once the data was retrieved, it was sent to computer servers they operated in California, Illinois, Latvia, the Netherlands and Ukraine. Prosecutors said the trio also used a number of techniques to hide their activity, including testing their malware against top antivirus products to evade detection and programming the malware to delete its tracks on victim networks.

If convicted, Gonzales faces up to 20 years in prison on the wire fraud conspiracy charge and an additional five years in prison on the conspiracy charge, as well as a fine of $250,000 for each charge.

Gonzalez, who is currently in federal custody, was indicted in the Eastern District of New York in May 2008 in the data security breach at 11 Dave & Busters restaurants.

That indictment also names two other men, Maksym Yastremskiy of Kharkov, Ukraine, and Aleksandr Suvorov of Estonia with wire fraud, computer fraud, aggravated identity theft, and other crimes in connection with the scam, which occurred in 2007. Yastremskiy and Suvorov allegedly gained unauthorized access to the point-of-sale servers at each restaurant and installed a packet sniffer designed to capture Track 2 data as it moved from the POS servers to the computer system at the restaurant's headquarters and a data processor's network. Trial is scheduled to begin in Long Island, N.Y., in September 2009, the DOJ said.

The District of Massachusetts also has pending charges against him for his role in the data breaches at TJX Companies, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW. Trial on those related charges is scheduled to begin in 2010.


Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.
    Back to top