Biggest ever hacking and ID theft ring uncovered in US

18 Aug 2009

US authorities have indicted three men in what is believed to be the biggest hacking and identity theft ring ever prosecuted by the Department of Justice.

Over 130 million debit and credit-card numbers were stolen, which was run by 28-year-old Albert Gonzalez of Florida, AKA ‘segvec’, ‘soupnazi’ and ‘j4guar17’, and two unnamed co-conspirators.

The three hacked into computer networks supporting major American retail and financial organisations, including Heartland Payment Systems, a New Jersey-based card payment processor; 7-Eleven; and Hannaford Brothers Co, a Maine-based supermarket chain, the US Department of Justice said.

In a two-count indictment alleging conspiracy and conspiracy to engage in wire fraud, the three men were charged with using a sophisticated hacking technique called an SQL injection attack, which seeks to exploit computer networks by finding a way around the network’s firewall to steal credit and debit card information.

The indictment alleges that from October 2006, Gonzalez and his co-conspirators researched the credit and debit-card systems used by their victims, devised a sophisticated attack to penetrate their networks and steal credit and debit card data, and then sent that data to computer servers they operated in California, Illinois, Latvia, the Netherlands and Ukraine.

The indictment also alleges Gonzalez, who according to the Wall Street Journal was briefly an informant to the Secret Service, and his co-conspirators used sophisticated hacker techniques to cover their tracks and to avoid detection by anti-virus software used by their victims.

If convicted, Gonzalez faces up to 20 years in prison on the wire fraud conspiracy charge and an additional five years in prison on the conspiracy charge, as well as a fine of US$250,000 for each charge.

Gonzalez is currently in federal custody, having already been charged in New York in May 2008 for hacking into a computer network run by a national restaurant chain. He, and others, also face charges in 2010 for a number of retail hacks affecting eight major retailers that involved the theft of data related to 40 million credit cards.