TJX Hacker Charged with Heartland, Hannaford Breaches
(Wired Magazine) – The constellation of hacks connected to the TJX hacker is growing.
Albert “Segvec” Gonzalez, a former Secret Service informant who is already awaiting trial over his involvement in the TJX hack, has been indicted by a federal grand jury in New Jersey, along with two unnamed Russia-based conspirators, with hacking into Heartland Payment Systems, the New Jersey based card processing company, as well as Hannaford Brothers, 7-Eleven, Inc, and two unnamed national retailers, according to the indictment unsealed Monday.
Prosecutors say they’re investigating other breaches and have not ruled out Gonzalez’s involvement in even more intrusions.
“[The fact that] we’re not seeing a huge array of hackers capable of doing this, but rather a more select group, demonstrates that there is a level of sophistication involved in these hacks,” said Assistant U.S. Attorney Erez Liebermann from the Justice Department’s New Jersey district office.
According to the court document, the hackers stole more than 130 million credit and debit card numbers from Heartland and Hannaford combined, which authorities believe constitutes the largest data breach and identity theft case ever prosecuted in the U.S. But these are just the latest in a string of high-profile breaches that have been connected to Gonzalez.
He and 10 others were charged in May and August 2008 for network intrusions into TJX, OfficeMax, Dave & Busters restaurant chain, and other companies. Jury selection is slated to begin in Massachusetts on September 14 in the TJX-related charges. With regard to the Heartland-Hannaford cases, Gonzalez and the two unnamed Russian hackers have been charged with one count of conspiracy to commit computer fraud and one count of conspiracy to commit wire fraud.
They each face a maximum penalty of 5 years in prison and a possible maximum fine of $250,000 on the computer fraud count and an additional 30 years and $1 million fine on the wire fraud count, or twice the amount they gained from the offense, whichever is greater.
According to the New Jersey indictment, Gonzalez, 28, and an uncharged conspirator identified only as “P.T.,” allegedly found their targets on a list of Fortune 500 companies and then did reconnaissance to determine the payment processing systems they used and uncover vulnerabilities. The hackers used computers they leased or controlled in California, Illinois and New Jersey as well as in Latvia, Ukraine and the Netherlands to store malware, launch their attacks against the networks and receive the stolen numbers.
In August 2007, using a SQL-injection attack, the hackers allegedly broke into the 7-Eleven network, resulting in the theft of an undetermined amount of card data. They used the same kind of attack to infiltrate Hannaford Brothers in November 2007, which resulted in 4.2 millions stolen debit and credit card data; and into Heartland on December 26, 2007. Of the two unnamed national retailers mentioned in the affidavit, one was breached on October 23, 2007; the other some time around January 2008.
Liebermann declined to identify the two national retailers, or state the amount of data stolen from them, because he said they have not gone public with their breaches.
Once on the networks, the hackers installed back doors to provide them with continued access at later dates.
According to authorities, the hackers tested their malware against some 20 different anti-virus programs to make sure they wouldn’t be detected and also programmed the malware to erase evidence from the hacked networks to avoid forensic detection.
“The fact that they were able to evade anti-virus software that was running on the environment by testing it and programming the malware to erase itself suggests a degree of sophistication,” said Assistant U.S. Attorney Seth Kosto from the New Jersey office. “If it were just a case of getting onto the network, the card data would probably not have been exfiltrated.”
Heartland disclosed last January that hackers had installed sniffing software on its network that allowed them to capture unencrypted credit card data as transactions were being authorized in its system.
The thieves captured card account numbers and expiration dates and, in 20 percent of cases, the customer’s name as well. The company has never disclosed the number of cards compromised, although the company’s web site indicates that it processes about 100 millions transactions a month for about 250,000 businesses. The company has since reported in May that the breach had cost it $12. 6 million so far, which includes legal costs and fines from Visa and MasterCard, who say the company was not compliant with payment card industry rules.
Heartland’s CEO Robert Baldwin Carr told Threat Level recently that the initial breach into the company’s network in December 2007 was confined to the company’s corporate network, which Carr said was separate from its card-processing network. But by May 2008, the hackers had jumped to the processing network. Carr wouldn’t say how they accomplished this.
Heartland caught the breach of the corporate network, but were unaware the hackers were sitting on its system for months conducting reconnaissance. On April 30, Trustwave, a computer security firm, conducted its 2008 audit of Heartland and deemed it compliant with Payment Card Industry Data Security Standards (PCI DSS). But shortly thereafter, the intruders began stealing batches of unencrypted card track data from Heartland’s network, and continued doing so for months before being discovered.
Heartland has never disclosed the number of credit and debit card numbers stolen in its breach, but according to Liebermann Heartland accounts for the “vast majority” of the 130 million numbers mentioned in the indictment.
Gonzalez was a Secret Service informant who went by the nicks “Cumbajohnny” “Segvec.” He was a top administrator on a carding site called Shadowcrew when he was arrested in 2003. Authorities discovered his connection to Shadowcrew and soon put him to work undercover on the site, setting up a VPN for the carders to communicate, which was controlled out of the Secret Service’s New Jersey office.
The undercover operation known as “Operation Firewall” led to the arrest of 28 members of the site in October 2004. After the site went down, Gonzalez changed his nick to “Segvec” and moved to Miami, Florida, where he resumed his life of crime under the nose of authorities who were in pursuit of “Segvec,” and ignorant of his connection to their old informant.
Gonzalez called his credit card theft ring “Operation Get Rich or Die Tryin.” As Threat Level previously reported, he spent $75,000 on a birthday party for himself and once complained to associates that he had to manually count $340,000 in stolen $20 bills after his counting machine broke.
Stephen Watt, a 25-year-old programmer who was working for Morgan Stanley, created a sniffing program dubbed “blabla” that Gonzalez’s gang used to allegedly siphon credit and debit card numbers from TJX and other companies. The indictment doesn’t charge Watt with writing the malware used in the Heartland and Hannaford breaches.
Photo of Albert Gonzalez courtesy of the U.S. Secret Service
- TJX Hacker Was Awash in Cash; His Penniless Coder Faces Prison
- Bullion and Bandits: The Improbable Rise and Fall of E-Gold
- Heartland Breach Affects 135 Banks and Credit Unions
- Card Processor Admits to Large Data Breach
- Heartland Breach Cost Company $12.6 Million So far