Indictments Arrive for Largest U.S. Credit Card Breach

Albert Gonzalez, a 28-year-old resident of Miami, was indicted Aug. 17 for his alleged participation in the largest credit and debit card data breach ever charged in the United States. Federal prosecutors say Gonzalez’ corporate victims included Heartland Payment Systems, a New Jersey-based card payment processor; 7-Eleven, a Texas-based nationwide convenience store chain; and Hannaford Brothers, a Maine-based supermarket chain.

In a two-count indictment alleging conspiracy and conspiracy to engage in wire fraud, Gonzalez (aka segvec, soupnazi and j4guar17) is charged-along with two unnamed co-conspirators-with launching an SQL injection attack against his victims. SQL attacks seek to exploit computer networks by finding a way around a network’s firewall to steal credit and debit card information.

The indictment alleges that beginning in October 2006 Gonzalez and his co-conspirators researched the credit and debit card systems used by their victims and devised a sophisticated attack to penetrate their networks and steal credit and debit card data. Gonzalez then allegedly sent that data to computer servers the group operated in California, Illinois, Latvia, the Netherlands and Ukraine.

To read more about Heartland Payment Systems’ security woes, click here.

In addition, Gonzalez and his co-conspirators are charged with using sophisticated hacking techniques to cover their tracks and avoid detection by anti-virus software. If convicted, Gonzalez faces up to 20 years in prison on the wire fraud conspiracy charge and an additional five years in prison on the conspiracy charge, as well as a fine of $250,000 for each charge.

Gonzalez is currently in federal custody facing other hacking indictments. In May 2008, the U.S. Attorney’s Office for the Eastern District of New York charged Gonzalez with an alleged role in the hacking of a computer network run by the national restaurant chain Dave & Buster’s. The trial on those charges is scheduled to begin in Long Island, N.Y., in September.

In August of 2008, the Department of Justice announced an additional series of indictments against Gonzalez and others for a number of retail hacks affecting eight major retailers and involving the theft of data related to 40 million credit cards. Those charges were filed in the District of Massachusetts. Gonzalez is scheduled for trial on those charges in 2010.

The charges announced Aug. 17 relate to a different pattern of alleged hacking activity that targeted different corporate victims and involved different co-conspirators.