Law enforcers may breathe a sigh of relief now that a hacker thought to be the mastermind behind the theft of data from more than 170 million credit cards is safely behind bars.
Albert Gonzales, a 28 year-old Florida resident a.k.a. under the code name the soup nazi, was recently indicted for the largest ever data breach in the United States – involving over 130 million compromised credit and debit card numbers and account information. The card information was stolen from Heartland Payment Systems, Inc. in 2008 along with retailers 7-Eleven, Inc., New England-based grocery chain Hannaford Brothers Co., plus two other, unidentified corporations. He was indicted along with two Russian co-conspirators, known less imaginatively simply as “Hacker 1” and “Hacker 2.”
Gonzales was already in a jail in Brooklyn, New York, awaiting trial for charges of masterminding another large-scale cyber theft involving more than 40 million credit card numbers from nine retailers, including TJX, the parent of TJMaxx and Marshall’s stores and discounter BJ’s Wholesale Club. The hackers are thought to have exploited weaknesses in wireless computer networks by going around firewalls to steal credit card information stored in the retail chains’ servers and then moving the data to computer servers in California and Illinois, and overseas to servers in Latvia, the Netherlands and Ukraine.
The good news about the most recent indictment is that the two largest data breaches ever, which took place between 2006 to 2008, have not just been resolved, they originated with just one small ring of hackers. The bad news is how successful these hackers were in outsmarting security measures and get to the stored credit card data.
Gonzalez may have had special advantages that enabled him to perpetrate these large-scale break-ins. He was a former informant for the U.S. Secret Service, who had been helping the agency track down hackers, but at the same time secretly passed on inside information about the ongoing investigations to hackers, warning off at least one individual.
But while Gonzales may have been in a unique position to strike, officials say that the hackers involved weren’t computer geniuses. They were able to perpetrate record data breaches by using a fairly simple technique called “wardriving,” in which hackers cruise around town with a laptop, looking for unprotected wireless Internet signals. When a vulnerable network is located, the fraudsters installed so-called “sniffer programs,” which siphoned off credit and debit card numbers moving through the credit card processing networks.
While the goal was to sell the stolen data, it is unclear how successful that part of the scheme was. According to investigators, it is usually impossible to trace how much of these data thefts resulted in fraudulent charges for account holders.
With the latest indictment, lawmakers succeeded in putting closure to what is thought to be the largest hacking and identity theft case ever. Does this mean that we will enjoy greater credit card security going forward? Well, as cyber thieves continue to become increasingly sophisticated, that remains to be seen.
