130 million is a large number, but that’s how many credit card numbers a group of three hackers are alleged to have stolen from five different companies including 7 Eleven, Hannaford, and Heartland Payment Systems says the Department of Justice.

The DOJ says:

As alleged in the Indictment, between October 2006 and May 2008, Albert Gonzalez, 28, of Miami, Fla., acted with two unnamed coconspirators to identify large corporations, often by scanning the list of Fortune 500 companies and exploring corporate websites. Upon identifying a potential victim, Gonzalez and his coconspirators sought to identify vulnerabilities, both by physical observation and by online exploration. For example, according to the Indictment, Gonzalez and an individual identified in the Indictment as “P.T.” would go to the retail locations of their potential victims in an attempt to identify the type of point-of-sale (“checkout”) machines utilized by the victim companies. After reconnaissance of the computer systems was completed, information would be uploaded to servers which served as hacking platforms. These servers, located in New Jersey and around the world, were used by the coconspirators to store information critical to the hacking schemes and to subsequently launch the hacking attacks.

According to the Indictment, the hacking attacks launched against the corporate victims consisted of what is known as a SQL-injection attack, which is an attack that exploits security vulnerabilities in elements of a computer that receives user input. Gonzalez provided some of the malicious software (malware) to his coconspirators, and they added their own as they sought to identify the location of credit and debit card numbers and other valuable data on the corporate victims’ computer systems. The coconspirators often worked together on a real-time basis, contacting each other by instant messaging as they were improperly accessing the corporate victims’ computer systems, according to the Indictment. Once the target information was discovered, it would be stolen from the corporate victims’ servers and placed onto servers controlled by Gonzalez and the coconspirators.

In addition to searching for credit and debit card data on the victims’ computer systems, the Indictment alleges that Gonzalez and the coconspirators installed “sniffers” which conducted real-time interception of credit and debit card data being processed by the corporate victims and subsequently stolen from the corporate victims’ computer servers.

The hackers would then sell the credit card information to people who would attempt to use it to make fraudulent purchases or withdraw money.

The NYT says the Gonzalez has been in custody since 2008 — when he was arrested for his involvement in a data theft at Dave & Busters. He was also indicted in the 2005 TJX data breach.

Erez Liebermann, an assistant United States attorney in the Justice Department’s New Jersey office, said Mr. Gonzalez’s involvement in so many data breaches suggested that “perhaps the individuals capable of such conduct are a tighter-knit group than may have been previously thought.”

Ya think?

The other, unnamed co-conspirators in the case are identified as “Hacker 1” and “Hacker 2,” and are disappointingly located in Russia, rather than in a copy of The Cat In The Hat.

Three Men Indicted for Hacking into Five Corporate Entities, including
Heartland, 7-Eleven, and Hannaford, With Over 130 Million Credit and
Debit Card Numbers Stolen (PDF) [Department of Justice]
3 Indicted in Theft of 130 Million Card Numbers [NYT]
(Photo:taberandrew)

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.