Three Men Charged in Largest U.S. Identity Theft Scheme

Three men were indicted on Monday for allegedly hacking into Heartland Payment Systems, 7-Eleven, and the Hannaford Brothers supermarket chain, stealing data related to more than 130 million credit and debit cards.

The indictment names Albert Gonzalez of Miami, a 28-year-old former government informant who has already been charged with stealing information related to 40 million credit cards from eight major retailers, and two unnamed co-conspirators based in Russia.

The data breach concerning Heartland Payment Systems, 7-Eleven and then Hannaford Brothers supermarket chain is believed to be the largest hacking and identity theft case ever prosecuted by the U.S. Department of Justice. In addition to the named victim companies, two unnamed corporations are also involved, according to a statement from the U.S. Attorney’s office.

The charges the three men will be facing include conspiring to hack into computer networks and stealing data as far back as October 2006. Gonzalez, whose aliases include "segvec" and "soupnazi", and the two Russians - named "Hacker 1" and "Hacker 2" - apparently discovered their victims on a list of Fortune 500 companies and visited retail locations in order to see what type of checkout systems they used.

The information they gained through these investigations were then uploaded onto servers that worked as hacking platforms. "These servers, located in New Jersey and around the world, were used by the co-conspirators to store information critical to the hacking schemes and subsequently to launch the hacking attacks," prosecutors said.

Using an SQL injection attack to steal the data and using computers located in California, Illinois, New Jersey, Ukraine, Latvia, and the Netherlands for storing malware and stolen information, and for launching the attacks. In an SQL injection attack, a small malicious script is inserted in the computer network, taking advantage of a vulnerability in the database layer of an application that feeds information to the website.

Gonzalez and his two co-conspirators also allegedly used backdoors and sniffers to intercept data in real time as it was processed by the victims, attempting to hide their actions by accessing the victim networks through their proxy computers. According to the indictment, they modified their software in order to evade detection by security software, programming it to delete traces of the malware from the networks.The indictment also claims that the men tried to sell the stolen information. All three are now charged with conspiracy to gain unauthorized access to computers, to commit fraud in connection with computers and to damage computers, and conspiracy to commit wire fraud. Each faces up to 35 years in prison as well as a fine of $1.25 million.

Heartland Payment Systems reported the violation on presidential Inauguration Day in January and were reported as stating that although it occurred last year, it found evidence of the intrusion just the week prior. Representatives from Heartland and 7-Eleven were unavailable for further comment, while Hannaford Brothers referred questions to federal authorities.

While the case remains ongoing, it should come as a welcome surprise that hackers are not the unknowable and omnipresent beings we may have once thought they were. They can and often are brought to justice. Hopefully this case will be a warning to other cybercriminals out there that their number's up.