Prosecutors say man stole 130M credit card numbers

Aug 17, 2009 By DEVLIN BARRETT , Associated Press Writer

(AP) -- Federal prosecutors on Monday charged a Miami man with the largest case of credit and debit card data theft ever in the United States, accusing the one-time government informant of swiping 130 million accounts on top of 40 million he stole previously.

Albert Gonzalez, 28, broke his own record for identity theft by hacking into retail networks, according to prosecutors, though they say his illicit exploits ended when he went to jail on charges stemming from an earlier case.

Gonzalez is a former informant for the U.S. Secret Service who helped the agency hunt hackers, authorities say. The agency later found out that he had also been working with criminals and feeding them information on ongoing investigations, even warning off at least one individual, according to authorities.

Gonzalez, who is already in jail awaiting trial in a hacking case, was indicted Monday in New Jersey and charged with conspiring with two other unnamed suspects to steal the private information. Prosecutors say the goal was to sell the stolen data to others.

How much of the data was sold and then used to make fraudulent charges is unclear. Investigators in such cases say it is usually impossible to quantify the impact of such thefts on account holders.

Prosecutors say Gonzalez, who is known online as "soupnazi," targeted customers of convenience store giant 7-Eleven Inc. and supermarket chain Hannaford Brothers, Co. Inc. He also targeted Heartland Payment Systems, a New Jersey-based card payment processor.

According to the indictment, Gonazalez and his two Russian coconspirators would hack into corporate computer networks and secretly place "malware," or , that would allow them backdoor access to the networks later to steal data.

Gonzalez faces up to 20 years in prison if convicted of the new charges. His lawyer did not immediately return a call for comment.

Gonzalez is awaiting trial next month in New York for allegedly helping hack the computer network of the national restaurant chain Dave and Buster's.

The Justice Department said the new case represents the largest alleged credit and debit card data breach ever charged in the United States, based on a scheme that began in October 2006.

Gonzalez allegedly devised a sophisticated attack to penetrate the computer networks, steal the card data, and send that data to computer servers in California, Illinois, Latvia, the Netherlands and Ukraine.

Also last year, the Justice Department announced additional charges against Gonzalez and others for hacking retail companies' computers for the theft of approximately 40 million credit cards. At the time, that was believed to be the biggest single case of hacking private computer networks to steal credit card data, puncturing the electronic defenses of retailers including T.J. Maxx, Barnes & Noble, Sports Authority and OfficeMax.

Prosecutors charge Gonzalez was the ringleader of the hackers in that case.

At the time of those charges, officials said the alleged thieves weren't computer geniuses, just opportunists who used a technique called "wardriving," which involved cruising through different areas with a laptop computer and looking for accessible wireless Internet signals. Once they located a vulnerable network, they installed so-called "sniffer programs" that captured credit and debit card numbers as they moved through a retailer's processing networks.

Gonzalez faces a possible life sentence if convicted in that case.

Restaurants are among the most common targets for hackers, experts said, because they often fail to update their antivirus software and other computer security systems.

Scott Christie, a former federal prosecutor now in private practice in New Jersey, said the case shows that despite the best efforts by companies to protect data privacy, there are still individuals capable of sneaking in.

"Cases like this do cause companies to sit up and take notice that this is a problem and more needs to be done," said Christie.

©2009 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

Explore further: Study: Social media users shy away from opinions

add to favorites email to friend print save as pdf

Related Stories

TJX Intruder Had Retailer's Encryption Key

Mar 30, 2007

Not that the culprit necessarily needed it. Data was apparently taken during the card-approval process before it was encrypted. These are among the latest details in what is almost certainly the worst retail data breach ever. ...

California man indicted in 'botnet' case

Feb 11, 2006

A California man was indicted Friday for allegedly creating a "botnet" that used university computer systems and disrupted information technology at a Seattle hospital.

TJX reaches settlement with states on data theft

Jun 23, 2009

(AP) -- Discount retailer TJX Cos. said Tuesday it has reached a settlement with multiple states related to a massive data theft that occurred at the parent company of retailers T.J. Maxx and Marshall's a few years ago.

U.S., British hackers face the music

May 10, 2006

Only two days after U.S. federal authorities sentenced a 21-year-old to five years in prison for hacking computers, the British government ruled that one of its citizens should be extradited to the United States for hacking ...

Recommended for you

Study: Social media users shy away from opinions

Aug 26, 2014

People on Facebook and Twitter say they are less likely to share their opinions on hot-button issues, even when they are offline, according to a surprising new survey by the Pew Research Center.

US warns shops to watch for customer data hacking

Aug 23, 2014

The US Department of Homeland Security on Friday warned businesses to watch for hackers targeting customer data with malicious computer code like that used against retail giant Target.

Fitbit to Schumer: We don't sell personal data

Aug 22, 2014

The maker of a popular line of wearable fitness-tracking devices says it has never sold personal data to advertisers, contrary to concerns raised by U.S. Sen. Charles Schumer.

Should you be worried about paid editors on Wikipedia?

Aug 22, 2014

Whether you trust it or ignore it, Wikipedia is one of the most popular websites in the world and accessed by millions of people every day. So would you trust it any more (or even less) if you knew people ...

Philippines makes arrests in online extortion ring

Aug 22, 2014

Philippine police have arrested eight suspected members of an online syndicate accused of blackmailing more than 1,000 Hong Kong and Singapore residents after luring them into exposing themselves in front of webcam, an official ...

User comments : 4

Adjust slider to filter visible comments by rank

Display comments: newest first

zevkirsh
2 / 5 (1) Aug 17, 2009
they don't even know how much money he stole. he ccould have stolen 10 grand worth and they would still put him in jail for 20 years.
zbarlici
3 / 5 (2) Aug 17, 2009
zevkirsh... don`t worry they`re gonna come for you next.

As most convenience stores and restaurants have a policy in place to discourage robbers by having a time-delayed safe and keeping a minimum of $$ in the till, why in the hell are companies not required to adopt a similar kind of safety protocol, where if a hacker happens to get access to the system, they can only get a hold of a handful of credit card #`s....?
cmn
1 / 5 (1) Aug 18, 2009
Life in prison for hacking and stealing CC#s? Sad.
yyz
not rated yet Aug 18, 2009
Let's see........charge $10 to each account times 130 million accounts comes to $1.3 billion dollars. Not exactly chump change.