550 Morninghome Road - Danville, CA 94526
(925) 314 - 9700

Largest Hacking and Data Breach Scheme Ever to be Prosecuted in the United States

Indictments were announced last Thursday in a case that U.S. Attorney Paul Fishman called “the largest hacking and data breach scheme ever prosecuted in the United States.” The group of hackers managed to amass more than 160 million credit and debit card numbers, Fishman said in a statement. According to the indictments, the group was selling the card numbers to “dumps resellers,” who then sold them to individuals and companies.

The hackers indicted last week were originally part of the crime ring led by Albert Gonzalez, of  Heartland Payment Systems breach fame.  Gonzalez was arrested back in 2008, and is now serving a twenty year sentence in prison, while these five continued their data “acquisitions”.

The purchasers of the data, or “the cashers” as they are referred to, used the information by encoding it into blank plastic cards.  In the case of debit cards, they withdrew money from ATMs; credit cards were duplicated and used to make purchases.

“Financial institutions, credit card companies and consumers suffered hundreds of millions in losses, including losses in excess of $300 million by just three of the corporate victims, and immeasurable losses to identity theft victims,” the indictment states. The companies targeted include the NASDAQ, Visa Inc., 7-Eleven Inc., Global Payment Systems Inc., the Belgium bank Dexia Bank Belgium, as well as Carrefour SA (CA), France’s biggest retailer, and Citibank.

Several companies were victims of a Structured Query Language, (SQL), injection attack.  SQL is a programming code that connects online databases, including those containing credit card data, to the portion of websites that visitors see.  Hackers can “inject” code to access the database if website owners fail to put up safeguards, such as preventing certain characters from being inserted into forms.  In the NASDAQ hack, attackers exploited a feature designed to help legitimate users recall forgotten passwords. In Citibank’s case, hackers were able to circumvent a safeguard that limited users to three tries a day. In 2008, they entered 300,000 of the 900,000 customer accounts they tried to breach through Citibank’s website, stealing $3.6 million from those accounts, the indictment said.

“This type of crime is the cutting edge,” Fishman said in a press release. “Those who have the expertise and the inclination to break into our computer networks threaten our economic well-being, our privacy and our national security. And this case shows there is a real practical cost because these types of frauds increase the costs of doing business for every American consumer, every day.”

A partial list of clients served