Federal prosecutors on Thursday charged five men with what is believed to be the largest hacking and data breach scheme ever prosecuted in the U.S.
According to the criminal indictment, the individuals targeted more than a dozen firms — including Carrefour SA, J.C. Penney Co. Inc., The Wet Seal Inc., the Nasdaq Stock Market, 7-Eleven, Visa Inc., Dexia Bank Belgium and Heartland Payment Systems — that resulted in the theft of more than 160 million credit card numbers and more than $300 million in losses. According to the indictment, the alleged scheme began in 2005 and continued until July 2012.
The indictment alleged that the defendants hacked into the computer networks through an “SQL injection attack,” in which the Structured Query Language that programmers used to manage data was tested for vulnerabilities and then infiltrated through malicious codes, or malware, on the system. The indictment also said the defendants, who regained access to networks through persistent attacks after losing access due to security efforts, had malware implanted in multiple companies’ servers for more than a year. Once in the system, the defendants used “sniffers” to collect and steal data that was then sold to third parties.
Retailers such as Wet Seal and J.C. Penney were victims of the SQL attack that resulted in malware placement on their networks.
According to the U.S. Department of Justice, each stolen American credit card number and associated data was sold to a buyer for $10, the Canadian equivalent information for $15 and a European counterpart for $50. The numbers and related data were then sold to resellers around the world. End users take the information and imprint it on the magnetic strips of new credit cards for use at a store.
In addition to the five men — four are from Russia and one from the Ukraine — the indictment listed four co-conspirators who were not indicted in today’s unsealed document. One of those individuals named as a co-conspirator is Albert Gonzalez, a Miami resident who was sentenced to 20 years imprisonment in 2010 for his role in leading a group of cyber thieves stealing more than 40 million credit and debit numbers in a Boston federal indictment in what was then considered the largest U.S. identity theft case. The 2008 Boston indictment charged him with hacking into retailers’ wireless networks along U.S. Route 1 in Miami. The largest target in that scheme was The TJX Cos. Inc. Others were Sports Authority, DSW and BJ’s Wholesale Club. He also faced indictments in New York and New Jersey. The New Jersey indictment was the one unsealed today, but had remained sealed since 2009.
Mitchell Epner, counsel to the law firm of Wilk Auslander and a former federal prosecutor in New Jersey, said, “It’s not unusual to have an indictment under seal for several years. Often times it is because the defendants are out of the country and you want to have the indictment in place to stop the statute of limitations from running out.”
The former prosecutor also explained that both the U.S. Attorney’s Office in New Jersey and the Department of Justice have been at the forefront of tackling these types of information technology and data privacy cases.
“This is very serious stuff,” Epner said. “The two offices recognize that if people really fear identity theft and credit card theft, they may stop using credit cards and then we go back to what retail was in the Seventies. It’s a lot less convenient when you have to rely on cash and not credit. Data breaches are not just crimes against the victims, but it also threatens the entire [payments] system,” the attorney said.
Epner explained why the premium at $50 was so high for a European credit card number and related data when compared with the American cost, noting that the fraud is discovered less quickly in Europe than with a card from North America and that the card’s value is heightened by how long one can use it before it being flagged.
“The whole value in stealing credit card information is the ability to use it to get real goods and services. These defendants can get more goods and services with a European credit card than a stolen U.S. credit card. Someone handing over a U.S. credit card to a shop, but who doesn’t look like an American, will set off red flags,” he said.
“This type of crime is cutting-edge,” said New Jersey U.S. Attorney Paul J. Fishman. “Those who have the expertise and the inclination to break into our computer networks threaten our economic well-being, our privacy and our national security.”
Fishman’s office disclosed that the defendants covered their tracks through encrypted communications or by meeting in person. They also allegedly altered the settings of infiltrated networks to disable security mechanisms from logging their actions, as well as evade security software protections.
Of the retailers and credit firms, 7-Eleven declined comment, while only Wet Seal responded to questions as of press time. Alyson Barker, Wet Seal’s general counsel, said, “In May 2008, we became aware that a criminal group obtained unauthorized access to our information systems in an attempt to steal credit and debit card data of our customers. Through an investigation led by an independent, third-party computer forensics firm, and corroborated by members of the U.S. Secret Service and U.S. Department of Justice, we found no evidence to indicate that any customer credit or debit card data or other personally identifiable information was taken. In working with the major credit card processing agencies, we also identified no instances of fraud to suggest that any such data was taken.
“Since 2008, Wet Seal has implemented numerous system enhancements to eliminate our vulnerability to this type of attack. The security of our customers’ personal information is of utmost importance to us, and we acted quickly and decisively when this matter arose five years ago. We are pleased that time has proven, as we believed from the outset, that none of our customer information was taken.”
Charges in Thursday’s 11-count indictment ranged from conspiracy to unauthorized access to computers to wire fraud. The maximum term of imprisonment for some charges is five years and for other charges, as much as 30 years. No trial date has been set.
Two of the defendants were arrested while traveling in the Netherlands. Three others remain fugitives. In addition, one of the men who remains at large is also the subject of two federal indictments from the U.S. Attorney’s Office in Manhattan. One indictment is for the alleged hacking of computer servers used by Nasdaq and the other for alleged stealing of bank account information by hacking U.S.-based financial institutions.
Assisting in the investigation that led to the indictment disclosed on Thursday included special agents from the U.S. Secret Service, public prosecutors with the Dutch Ministry of Security and Justice, as well as the U.S. Attorney’s Offices in Kansas and Georgia.
In his new book “Hollywood Royale,” Andy Warhol’s Protégé Matthew Rolston celebrates the Eighties revival of Hollywood glamour. Featuring more than 100 portraits taken by Rolston from 1977 to 1993, the book contains photos of icons like Michael Jackson, Cyndi Lauper, and @drewbarrymore, pictured here in 1991. “Hollywood Royale,” out today, will be accompanied by an exhibition opening at Los Angeles’ Fahey/Klein Gallery on March 1. #wwdeye
"Nowadays when life is not so happy with everything going on in the world, I think people come to me for a little bit of whimsy and color and fun." - Designer Rebecca De Ravenel on her cult-favorite jewelry line. (📸 : @vsteves) #wwd40
“Everyone is talking about how the retail industry is struggling, but I think it’s an incredible time because brands who are doing something different and innovative are setting themselves up for the future,” said @adamgoldston, who founded the luxury athletic brand @apl with his brother @ryangoldsten. The Goldston’s are part of WWD’s 40 under 40: a group of industry notables. See the rest of the list on WWD.com. (📷: @vsteves) #wwd40
@eyeswoon blogger Athena Calderone debuted her first-ever cookbook, “Cook Beautiful,” which is heavily centered on the presentation and visual expression of food. Pictured here are her miso glazed carrots from the book. Get the recipe on WWD.com. (📷: @johnny_miller_) #wwdeye
“It’s passion that helps get anybody to a certain point and it’s what’s propelled me,” said Kith founder @ronniefieg, one of WWD’s 40 under 40: a group of industry notables who are changing the face of retail, fashion and beauty. Fieg, who opened a Manhattan flagship on October 7, began his career at age 13 as a stock boy and salesman for footwear chain David Z. “I think staying true to [my] beliefs, hard work and passion have gotten me to where [Kith] is today.” See the rest of the 40 at WWD.com. (📷: @vsteves) #wwd40
25-year-old @samweaving is about to break out this fall, starring in Netflix’s horror film “The Babysitter,” fittingly out today on Friday the 13th. That’s not the only place you’ll be seeing her, though — Weaving’s got a role Showtime’s “SMILF” and another alongside Frances McDormand and Woody Harrelson in “Three Billboards Outside Ebbing, Missouri.” Though she’s got a full plate at the moment, there’s one role she’s got her eye on: Marilyn Monroe. “I’m a little too young at the moment, but it’s on my bucket list,” the actress told WWD (📷: @dandoperalski) #wwdeye
BFF's Poppy Jamie and Suki Waterhouse celebrated the launch of their bag line Pop x Suki at Nordstrom last night. "The line is really about our friendship, and how we are so different but complement each other," said Waterhouse. 👯 (📷: Katie Jones) #wwdeye
After designing the new @louisvuitton and @bulgariofficial flagships and a @chanelofficial boutique opening in Japan, @petermarinoarchitect has another project on his plate: The Lobster Club. Located in the Seagram Building, it’s the famed architect’s first restaurant project in New York, serving up modern Japanese brasserie-style cuisine. Bronze hues, bespoke material detailing, blush and chartreuse tones and a heavy emphasis on Picasso can be seen throughout. Mark your calendars for Nov. 1 for the much-anticipated opening. (📷: @clint_spaulding) #wwdeye
Did you know: @carlychaikin of "Mr. Robot" has been painting for about a decade? The actress, who plays Darlene on the show, is a self-taught artist who lists Salvador Dalí and Chuck Close as some of her idols. Chaikin told WWD that painting is a form of meditation for her — A much-needed one given the intensity of "Mr. Robot." See a piece Chaikin is working on at WWD.com (📷: @jilliansollazzo) #wwdeye