With the indictment has come some new information about the data breaches. Gonzalez was indicted along with two unidentified co-conspirators believed to be from Russia.
A fourth individual, identified in the federal indictment only as P.T.,
was not charged in the case but is listed as a co-conspirator.
According to the U.S. Department of Justice, the group used computers
around the globe to stage attacks and store malware and stolen
information. In order to prepare, the group tested the strength of
their malware by putting it up against approximately 20 different
anti-virus programs.
The attack took planning and organization, but ultimately it was done
with relatively common attack techniques, said Rohit Dhamankar,
director of DVLabs at TippingPoint. It just goes to show that even the
most basic type of attack can do serious damage and enterprises need to
be more vigilant about protecting the outward facing portions of their
networks. According to the government, beginning in Oct. 2006, Gonzalez and his partners began researching the credit and debit card systems used by their victims.
Once inside the corporate networks, the gang conducted reconnaissance to
find credit and debit card numbers and other information. The group
used sniffer programs to steal the data, and would communicate via
instant message while attacks were in progress and advise each other as
to how to navigate the corporate networks to find data, authorities
said.
At the time of the Heartland incident, the company processed millions
of credit and debit card transactions daily. Beginning on or about
Dec. 26, 2007 , the company was hit with a SQL injection attack on its corporate
network that resulted in malware being placed on its payment processing
system and the theft of more than 130 million credit and debit card
numbers and corresponding card data.
It was the same story with Hannaford,
which reported a malicious Trojan was programmed to pilfer data from
the magnetic stripe of credit and debit cards being swiped at
Hannaford's checkout counters. This is believed to have happened around
November 2007. The attack led to the compromise of 4.2 million in
credit and debit card numbers and related data.
Before that was 7-Eleven. The chain of convenience stores was hit with a SQL injection attack around August 2007. After swiping the data, they sent the information to computer servers they operated in
California, Illinois, Latvia, the Netherlands and Ukraine.
In addition to these attacks, Gonzalez is currently awaiting trial for his alleged involvement in the
TJXhack, as well as an attack targeting the computers of the Dave & Buster's restaurant chain in New York.
The fact that some, if not all, of the companies were PCI
DSScompliant before
the attacks sparked questions about efficacy of PCI regulations. Steve
Dauber, vice president of marketing at RedSeal, noted that PCI audits
are only the beginning.
PCI is actually
a pretty reasonable set of basic security recommendations, he said.
The problem is that businesses mistake passing a PCI audit with being
PCI compliant. Audits arent comprehensive by nature they will
never catch every potential error in implementation. More importantly,
audits occur at a point in time, but your IT infrastructure changes
constantly. So even if you do pass your audit, you may fall out
of compliance the next week. If you want to benefit from PCI, you
need to maintain compliance both comprehensively and continuously.