, SecurityFocus 2009-08-18
A federal grand jury in New Jersey indicted three people on Monday for conspiring to break into the servers of five companies, including those of credit-card processor Heartland Payment Systems, grocery store chain Hannaford Bros., and convenience store chain 7-Eleven.
The indictment (pdf) charges Albert Gonzalez, the 28-year-old resident of Florida previously indicted for allegedly breaching the servers of retailer TJX and eight other companies, with conspiring with two unnamed Russian hackers and a third person identified as "P.T.," who is not being charged. In total, federal prosecutors have charged Gonzalez, who used the online handle "segvec," with taking part in the breaches of at least 14 large companies and stealing more than 225 million credit- and debit-card accounts.
This investigation marks the continued success of law enforcement in tracking down cutting-edge hacking schemes committed by hackers working together across the globe," Acting U.S. Attorney Ralph J. Marra, Jr., said in a statement (pdf). "When companies make the decision to work with law enforcement and disclose a data breach at the earliest possible opportunity, it provides the best chance at apprehending a hacker and demonstrates that those corporate victims will actively defend their systems."
The prosecution of Gonzalez sheds light on the largest financial breaches of the past three years, including 130 million credit- and debit-card accounts stolen from Heartland Payment Systems' servers and at least 94 million credit- and debit-card accounts stolen from TJX. The latest indictment also states that 4.2 million accounts were stolen from Hannaford's servers.
The hackers apparently gained much of their access through a common form of Web attack known as SQL injection, where an attacker uses a vulnerability in a Web site to send common database commands, known as structured query language (SQL), to the database holding the Web site data. Using the attack, the four people allegedly installed malicious software on vulnerable systems on the network, the indictment stated.
"They would install 'sniffer' programs that would capture credit and debit card numbers, corresponding Card Data, and other information on a real-time basis as the information moved through the Corporate Victim's credit and debit card processing networks, and then periodically transmit that information to the co-conspirators," the indictment charged.
The indictment also suggests that Heartland Payment Systems has been less than forthcoming with details of the full scope of the breach of its network. In its original announcement, which oddly coincided with President Barack Obama's inauguration, the company claimed that it had only learned of the breach the week before. A later lawsuit, which also questioned the timing, based estimates of the breach's size on a date of October 2008. And, the CEO of the company, Robert Carr, stated that the breach took place in 2008, in an apology to consumers.
Yet, the indictment fixes the date of the SQL injection attack that kicked off the data breach at "on or about December 26, 2007."
In total, the breach of Heartland Payment Systems totaled 130 million credit- and debit-card accounts, according to the indictment.
In a statement released on Monday, Heartland congratulated the Department of Justice and investigators. "Heartland looks forward to lending whatever support we can to this investigation as well as the broader fight against global cyber criminals," the company said.
If you have tips or insights on this topic, please contact SecurityFocus.