Details of Heartland, Hannaford Data Breaches Emerge

The indictment listing the charges against a 28-year-old Miami man sheds new light on how the government says a group of attackers penetrated the security of Heartland Payment Systems, Hannaford Bros. and 7-Eleven.

Roughly seven months after news broke of a breach at Heartland Payment Systems, 28-year-old Albert Gonzalez was indicted for cracking the company's security.

But to hear authorities tell it, Heartland wasn't the Miami man's only victim. Among the others are 7-Eleven and Hannaford Brothers Co.

With the indictment has come some new information about the data breaches. Gonzalez was indicted along with two unidentified co-conspirators believed to be from Russia. A fourth individual, identified in the federal indictment only as P.T., was not charged in the case but is listed as a co-conspirator.

According to the U.S. Department of Justice, the group used computers around the globe to stage attacks and store malware and stolen information. In order to prepare, the group tested the strength of their malware by putting it up against approximately 20 different anti-virus programs.

"The attack took planning and organization, but ultimately it was done with relatively common attack techniques," said Rohit Dhamankar, director of DVLabs at TippingPoint. "It just goes to show that even the most basic type of attack can do serious damage and enterprises need to be more vigilant about protecting the outward facing portions of their networks." According to the government, beginning in Oct. 2006, Gonzalez and his partners began researching the credit and debit card systems used by their victims.

Once inside the corporate networks, the gang conducted reconnaissance to find credit and debit card numbers and other information. The group used sniffer programs to steal the data, and would communicate via instant message while attacks were in progress and advise each other as to how to navigate the corporate networks to find data, authorities said.

At the time of the Heartland incident, the company processed millions of credit and debit card transactions daily. Beginning on or about Dec. 26, 2007 , the company was hit with a SQL injection attack on its corporate network that resulted in malware being placed on its payment processing system and the theft of more than 130 million credit and debit card numbers and corresponding card data.

It was the same story with Hannaford, which reported a malicious Trojan was programmed to pilfer data from the magnetic stripe of credit and debit cards being swiped at Hannaford's checkout counters. This is believed to have happened around November 2007. The attack led to the compromise of 4.2 million in credit and debit card numbers and related data.

Before that was 7-Eleven. The chain of convenience stores was hit with a SQL injection attack around August 2007. After swiping the data, they sent the information to computer servers they operated in California, Illinois, Latvia, the Netherlands and Ukraine.

In addition to these attacks, Gonzalez is currently awaiting trial for his alleged involvement in the TJXhack, as well as an attack targeting the computers of the Dave & Buster's restaurant chain in New York.

The fact that some, if not all, of the companies were PCI DSScompliant before the attacks sparked questions about efficacy of PCI regulations. Steve Dauber, vice president of marketing at RedSeal, noted that PCI audits are only the beginning.

"PCI is actually a pretty reasonable set of basic security recommendations," he said. "The problem is that businesses mistake passing a PCI audit with being PCI compliant. Audits aren't comprehensive by nature- they will never catch every potential error in implementation. More importantly, audits occur at a point in time, but your IT infrastructure changes constantly. So even if you do pass your audit, you may fall out of compliance the next week. If you want to benefit from PCI, you need to maintain compliance both comprehensively and continuously."