Strategic Profits Inc

Hacker charged with Heartland, other breaches Robert Lemos, SecurityFocus 2009-08-18

Sep 16, 2009

Its nice to see that law enforcement was able to arrest those allegedly involved in the Heartland breach. It is no easy task to track down people creating these breaches so congratulations to all involved. It will be interesting to view the results of this trial whether they are found guilty(remember you are innocent until a court has imposed a guilty result) and if so what type of penalty will be imposed. Stay tuned...

Hacker charged with Heartland, other breaches Robert Lemos, SecurityFocus 2009-08-18

A federal grand jury in New Jersey indicted three people on Monday for conspiring to break into the servers of five companies, including those of credit-card processor Heartland Payment Systems, grocery store chain Hannaford Bros., and convenience store chain 7-Eleven.

“ They would install 'sniffer' programs that would capture credit and debit card numbers, corresponding Card Data, and other information on a real-time basis... ”

Federal indictment naming Albert Gonzalez, a.k.a "segvec

The indictment (pdf) charges Albert Gonzalez, the 28-year-old resident of Florida previously indicted for allegedly breaching the servers of retailer TJX and eight other companies, with conspiring with two unnamed Russian hackers and a third person identified as "P.T.," who is not being charged. In total, federal prosecutors have charged Gonzalez, who used the online handle "segvec," with taking part in the breaches of at least 14 large companies and stealing more than 225 million credit- and debit-card accounts.

“This investigation marks the continued success of law enforcement in tracking down cutting-edge hacking schemes committed by hackers working together across the globe," Acting U.S. Attorney Ralph J. Marra, Jr., said in a statement (pdf). "When companies make the decision to work with law enforcement and disclose a data breach at the earliest possible opportunity, it provides the best chance at apprehending a hacker and demonstrates that those corporate victims will actively defend their systems."

The prosecution of Gonzalez sheds light on the largest financial breaches of the past three years, including 130 million credit- and debit-card accounts stolen from Heartland Payment Systems' servers and at least 94 million credit- and debit-card accounts stolen from TJX. The latest indictment also states that 4.2 million accounts were stolen from Hannaford's servers.

The hackers apparently gained much of their access through a common form of Web attack known as SQL injection, where an attacker uses a vulnerability in a Web site to send common database commands, known as structured query language (SQL), to the database holding the Web site data. Using the attack, the four people allegedly installed malicious software on vulnerable systems on the network, the indictment stated.

"They would install 'sniffer' programs that would capture credit and debit card numbers, corresponding Card Data, and other information on a real-time basis as the information moved through the Corporate Victim's credit and debit card processing networks, and then periodically transmit that information to the co-conspirators," the indictment charged.

The indictment also suggests that Heartland Payment Systems has been less than forthcoming with details of the full scope of the breach of its network. In its original announcement, which oddly coincided with President Barack Obama's inauguration, the company claimed that it had only learned of the breach the week before. A later lawsuit, which also questioned the timing, based estimates of the breach's size on a date of October 2008. And, the CEO of the company, Robert Carr, stated that the breach took place in 2008, in an apology to consumers.

Yet, the indictment fixes the date of the SQL injection attack that kicked off the data breach at "on or about December 26, 2007."

In total, the breach of Heartland Payment Systems totaled 130 million credit- and debit-card accounts, according to the indictment.

In a statement released on Monday, Heartland congratulated the Department of Justice and investigators. "Heartland looks forward to lending whatever support we can to this investigation as well as the broader fight against global cyber criminals," the company said.

Previous Posts

Jul 02.09 | RBS WorldPay and Heartland back on the validated Visa PCI DSS compliant list

RBS WorldPay regains spot on Visa's PCI compliance list
read more

Apr 20.09 | PCI DSS is not design to be attained like your Girl or Boy Scout Badge

read more

Sep 30.08 | Second Annual Payment Card Industry Community Meeting - Oh What a Difference A Year Makes!

read more

Aug 25.08 | TOP 10 List of Ways to Create a “Security Culture” Within an Organization

Al Decker and Rebecca Whitener, two security experts from Texas technology services company EDS, have compiled a top 10 list of ways to create a "security culture" within an organization. The two say that with security breaches and identity theft on the rise, protecting information is the responsibility of everyone in an organization. read more

Jul 25.08 | Ted Hart launches Green Nonprofits organization

"For years I've heard from nonprofits around the world of their interest to support and protect the environment. Because they did not perceive themselves to be experts, it was unclear what they could do to make a difference and still run a successful nonprofit/NGO. Today, GreenNonprofits, Inc. provides that answer; provides that path for every nonprofit around the world to make significant changes that when combined together will create a powerful force for the greening of this industry." - Ted Hart, CEO

GreenNonprofits was founded to be an accessible source of information about greening your nonprofit workplace, and to be a desktop tool for any nonprofit to become green[er].

As people and corporations around the world become more "green" they in turn expect the nonprofits they support to also take proactive steps to protect the environment. GreenNonprofits will lead the way in helping Nonprofits/NGOs around the world meet this challenge. "Ted Hart, CEO" read more

Jan 14.08 | Convio Security Breach and (PCI DSS) Payment Card Industry Data Security Standards

I find it interesting that I see no mention in any of Convio's follow up information of the required and mandatory Payment Card Industry Data Security Standard's compliance certificate for service providers in our industry. read more

Sep 20.07 | What a Difference a Week Makes!

PCI DSS First Global Community Meeting! read more

Sep 10.07 | PCI DSS! Is The Payment Industry Serious About Getting and Keeping Itself Secure?

The PCI DSS program has been in place in its original incarnation as AIS/CISP since 2001! Why is it then that so few organizations world wide are not compliant? Why is it then that so many service providers are still doing business "flying under the radar screen"??? read more

Nov 17.06 | I’ll Take a Ticket on You Kid!

About 6 pm, Wednesday evening October 25, Jimmy, my dearest friend and mentor, transitioned into heaven to begin the next phase of his life! A time for great sorrow and great celebration! read more