7-Eleven: Million credit and debit card numbers apparently stolen

[WSJ_law_blog]

NJ U.S. Attorney Files Charges in ‘Largest Reported Data Breach’



When it comes to criminal investigations and prosecution, the U.S. attorney’s office in Manhattan may get the lion’s share of the high-profile cases (See, e.g., Madoff, Dreier). But in terms of eye-popping filings, federal prosecutors in New Jersey have recently given the New Yorkers a run for their money.

The latest: The U.S. attorney’s office in Newark handed announced it landed an indictment Monday today against three individuals charged with being responsible for five corporate data breaches, including the single largest reported data breach in U.S. history. Click here for the indictment; here for the government’s press release; click here for the WSJ story.

The government’s press release states, in part:

The Indictment describes a scheme in which more than 130 million credit and debit card numbers together with account information were stolen from Heartland Payment Systems, Inc., based in Princeton, N.J., 7-Eleven, Inc., and Hannaford Brothers Co. In addition, the indictment describes two unidentified corporate victims as being hacked by the coconspirators.

As alleged in the Indictment, between October 2006 and May 2008, Albert Gonzalez, 28, of Miami, Fla., acted with two unnamed coconspirators to identify large corporations, often by scanning the list of Fortune 500 companies and exploring corporate websites. Upon identifying a potential victim, Gonzalez and his coconspirators sought to identify vulnerabilities, both by physical observation and by online exploration. For example, according to the Indictment, Gonzalez and an individual identified in the Indictment as “P.T.” would go to the retail locations of their potential victims in an attempt to identify the type of point-of-sale (“checkout”) machines utilized by the victim companies. After reconnaissance of the computer systems was completed, information would be uploaded to servers which served as hacking platforms. These servers, located in New Jersey and around the world, were used by the coconspirators to store information critical to the hacking schemes and to subsequently launch the hacking attacks.

According to the Indictment, the hacking attacks launched against the corporate victims consisted of what is known as a SQL-injection attack, which is an attack that exploits security vulnerabilities in elements of a computer that receives user input. Gonzalez provided some of the malicious software (malware) to his coconspirators, and they added their own as they sought to identify the location of credit and debit card numbers and other valuable data on the corporate victims’ computer systems. The coconspirators often worked together on a real-time basis, contacting each other by instant messaging as they were improperly accessing the corporate victims’ computer systems, according to the Indictment. Once the target information was discovered, it would be stolen from the corporate victims’ servers and placed onto servers controlled by Gonzalez and the coconspirators. In addition to searching for credit and debit card data on the victims’ computer systems, the Indictment alleges that Gonzalez and the coconspirators installed “sniffers” which conducted real-time interception of credit and debit card data being processed by the corporate victims and subsequently stolen from the corporate victims’ computer servers.

The Indictment alleges that Gonzalez and the coconspirators employed numerous techniques to hide their hacking efforts and data breaches. For example, they allegedly accessed the corporate websites only through intermediary, or “proxy,” computers, thereby disguising their own whereabouts. They also tested their malware by using approximately twenty of the leading anti-virus products to determine if any of those products would detect their malware as potentially unwanted. Furthermore, they programmed their malware to actively delete traces of the malware’s presence from the corporate victims’ networks.

Upon stealing the credit and debit card data, Gonzalez and the coconspirators would seek to sell the data to others who would use it to make fraudulent purchases, make unauthorized withdrawals from banks and further identity theft schemes.

oh thank heaven for seven-eleven

Can we sue them in a class action? Or make them cover our credit watch services at least? I charge at 7-11 several times each week.

Now what? -- we have to monitor our credit reports and cards for the next five years?