Federal prosecutors on Thursday charged five men with what is believed to be the largest hacking and data breach scheme ever prosecuted in the U.S.
According to the criminal indictment, the individuals targeted more than a dozen firms — including Carrefour SA, J.C. Penney Co. Inc., The Wet Seal Inc., the Nasdaq Stock Market, 7-Eleven, Visa Inc., Dexia Bank Belgium and Heartland Payment Systems — that resulted in the theft of more than 160 million credit card numbers and more than $300 million in losses. According to the indictment, the alleged scheme began in 2005 and continued until July 2012.
The indictment alleged that the defendants hacked into the computer networks through an “SQL injection attack,” in which the Structured Query Language that programmers used to manage data was tested for vulnerabilities and then infiltrated through malicious codes, or malware, on the system. The indictment also said the defendants, who regained access to networks through persistent attacks after losing access due to security efforts, had malware implanted in multiple companies’ servers for more than a year. Once in the system, the defendants used “sniffers” to collect and steal data that was then sold to third parties.
Retailers such as Wet Seal and J.C. Penney were victims of the SQL attack that resulted in malware placement on their networks.
According to the U.S. Department of Justice, each stolen American credit card number and associated data was sold to a buyer for $10, the Canadian equivalent information for $15 and a European counterpart for $50. The numbers and related data were then sold to resellers around the world. End users take the information and imprint it on the magnetic strips of new credit cards for use at a store.
In addition to the five men — four are from Russia and one from the Ukraine — the indictment listed four co-conspirators who were not indicted in today’s unsealed document. One of those individuals named as a co-conspirator is Albert Gonzalez, a Miami resident who was sentenced to 20 years imprisonment in 2010 for his role in leading a group of cyber thieves stealing more than 40 million credit and debit numbers in a Boston federal indictment in what was then considered the largest U.S. identity theft case. The 2008 Boston indictment charged him with hacking into retailers’ wireless networks along U.S. Route 1 in Miami. The largest target in that scheme was The TJX Cos. Inc. Others were Sports Authority, DSW and BJ’s Wholesale Club. He also faced indictments in New York and New Jersey. The New Jersey indictment was the one unsealed today, but had remained sealed since 2009.
Mitchell Epner, counsel to the law firm of Wilk Auslander and a former federal prosecutor in New Jersey, said, “It’s not unusual to have an indictment under seal for several years. Often times it is because the defendants are out of the country and you want to have the indictment in place to stop the statute of limitations from running out.”
The former prosecutor also explained that both the U.S. Attorney’s Office in New Jersey and the Department of Justice have been at the forefront of tackling these types of information technology and data privacy cases.
“This is very serious stuff,” Epner said. “The two offices recognize that if people really fear identity theft and credit card theft, they may stop using credit cards and then we go back to what retail was in the Seventies. It’s a lot less convenient when you have to rely on cash and not credit. Data breaches are not just crimes against the victims, but it also threatens the entire [payments] system,” the attorney said.
Epner explained why the premium at $50 was so high for a European credit card number and related data when compared with the American cost, noting that the fraud is discovered less quickly in Europe than with a card from North America and that the card’s value is heightened by how long one can use it before it being flagged.
“The whole value in stealing credit card information is the ability to use it to get real goods and services. These defendants can get more goods and services with a European credit card than a stolen U.S. credit card. Someone handing over a U.S. credit card to a shop, but who doesn’t look like an American, will set off red flags,” he said.
“This type of crime is cutting-edge,” said New Jersey U.S. Attorney Paul J. Fishman. “Those who have the expertise and the inclination to break into our computer networks threaten our economic well-being, our privacy and our national security.”
Fishman’s office disclosed that the defendants covered their tracks through encrypted communications or by meeting in person. They also allegedly altered the settings of infiltrated networks to disable security mechanisms from logging their actions, as well as evade security software protections.
Of the retailers and credit firms, 7-Eleven declined comment, while only Wet Seal responded to questions as of press time. Alyson Barker, Wet Seal’s general counsel, said, “In May 2008, we became aware that a criminal group obtained unauthorized access to our information systems in an attempt to steal credit and debit card data of our customers. Through an investigation led by an independent, third-party computer forensics firm, and corroborated by members of the U.S. Secret Service and U.S. Department of Justice, we found no evidence to indicate that any customer credit or debit card data or other personally identifiable information was taken. In working with the major credit card processing agencies, we also identified no instances of fraud to suggest that any such data was taken.
“Since 2008, Wet Seal has implemented numerous system enhancements to eliminate our vulnerability to this type of attack. The security of our customers’ personal information is of utmost importance to us, and we acted quickly and decisively when this matter arose five years ago. We are pleased that time has proven, as we believed from the outset, that none of our customer information was taken.”
Charges in Thursday’s 11-count indictment ranged from conspiracy to unauthorized access to computers to wire fraud. The maximum term of imprisonment for some charges is five years and for other charges, as much as 30 years. No trial date has been set.
Two of the defendants were arrested while traveling in the Netherlands. Three others remain fugitives. In addition, one of the men who remains at large is also the subject of two federal indictments from the U.S. Attorney’s Office in Manhattan. One indictment is for the alleged hacking of computer servers used by Nasdaq and the other for alleged stealing of bank account information by hacking U.S.-based financial institutions.
Assisting in the investigation that led to the indictment disclosed on Thursday included special agents from the U.S. Secret Service, public prosecutors with the Dutch Ministry of Security and Justice, as well as the U.S. Attorney’s Offices in Kansas and Georgia.
“Azzedine has been one of the biggest influences in my life. He has always been such a strong, loving, fatherly figure to me. I call him Papa. His designs are indescribably unique, they are pieces of art. He knew how to make the female form look its loveliest. I have so many memories of him; my favorite might be during my first show with him in Paris. He liked me and he wanted to help me get more work. He called all his friends at Kenzo and Comme des Garcons, and asked them to book me. They said, ‘But she can’t walk!’ And he said, ‘but she has such a great ass!' His friendship and support has been the great privilege of my career. I can't imagine life without him. Repose en paix mon Papa.” - @stephanieseymour tells @wwd. #wwdfashion (📷: @steveeichner) #alaia #azzedinealaia
Azzedine Alaïa, flanked by two of his closest friends, models Stephanie Seymour and Naomi Campbell.
He designed Seymour’s dress for her 1995 wedding to Peter Brant, and treated Campbell (who famously called him Papa), like a daughter. For more on the legendary designer, tap the link in bio. #wwdfashion #alaia #azzedinealaia
Azzedine Alaïa's “I-did-it-my-way” ethos stood out starkly at a time when brands are experimenting with consumer-facing fashion shows, coed formats and trans-seasonal collections – anything to perk up lackluster sales of ready-to-wear in an age of Insta-everything. “It’s not creation anymore. This becomes a purely industrial approach,” the late designer told WWD in an interview last year. “But anyway, the rhythm of collections is so stupid. It’s unsustainable. There are too many collections.” Read more about the iconic designer’s life and work on wwd.com, link in bio. #wwdfashion #azzedinealaia (📷: @WWD Archive, 1986) #alaia
Sneaker reselling app @goat’s latest exhibit, "The Greatest: New York," tells the story of New York's sneaker culture. To celebrate the exhibit, an intimate crowd gathered on Thursday night at the pop-up gallery space, located at Platform in Culver City, to hear guest speaker and illustrator @esymai talk about her own rise in streetwear and women in the business. "For me I'm just someone who is creative. I like to create things," said Chang. #wwdfashion
Azzedine Alaïa, one of the most iconic couturiers of the modern era whose body-con designs defined Eighties fashion, has died in Paris. The diminutive Tunisian-born designer, known for his structured knitted dresses with fitted waists and impeccably cut, figure-hugging second skin silhouettes was deeply admired by his peers, and counted supermodel Naomi Campbell - his adoptive daughter - among his inner circle, one of a gang of glamazons including Farida Khelfa, Carla Bruni and Stephanie Seymour who became ambassadors of his style. (📷: Alexandre Guirkinger) #wwdblast