Five Indicted for Largest Known Data Breach Conspiracy

The federal indictment was made public today in New Jersey; major retailers among those targeted.

Federal prosecutors on Thursday charged five men with what is believed to be the largest hacking and data breach scheme ever prosecuted in the U.S.

This story first appeared in the July 26, 2013 issue of WWD.  Subscribe Today.

According to the criminal indictment, the individuals targeted more than a dozen firms — including Carrefour SA, J.C. Penney Co. Inc., The Wet Seal Inc., the Nasdaq Stock Market, 7-Eleven, Visa Inc., Dexia Bank Belgium and Heartland Payment Systems — that resulted in the theft of more than 160 million credit card numbers and more than $300 million in losses. According to the indictment, the alleged scheme began in 2005 and continued until July 2012.

The indictment alleged that the defendants hacked into the computer networks through an “SQL injection attack,” in which the Structured Query Language that programmers used to manage data was tested for vulnerabilities and then infiltrated through malicious codes, or malware, on the system. The indictment also said the defendants, who regained access to networks through persistent attacks after losing access due to security efforts, had malware implanted in multiple companies’ servers for more than a year. Once in the system, the defendants used “sniffers” to collect and steal data that was then sold to third parties.

Retailers such as Wet Seal and J.C. Penney were victims of the SQL attack that resulted in malware placement on their networks.

According to the U.S. Department of Justice, each stolen American credit card number and associated data was sold to a buyer for $10, the Canadian equivalent information for $15 and a European counterpart for $50. The numbers and related data were then sold to resellers around the world. End users take the information and imprint it on the magnetic strips of new credit cards for use at a store.

In addition to the five men — four are from Russia and one from the Ukraine — the indictment listed four co-conspirators who were not indicted in today’s unsealed document. One of those individuals named as a co-conspirator is Albert Gonzalez, a Miami resident who was sentenced to 20 years imprisonment in 2010 for his role in leading a group of cyber thieves stealing more than 40 million credit and debit numbers in a Boston federal indictment in what was then considered the largest U.S. identity theft case. The 2008 Boston indictment charged him with hacking into retailers’ wireless networks along U.S. Route 1 in Miami. The largest target in that scheme was The TJX Cos. Inc. Others were Sports Authority, DSW and BJ’s Wholesale Club. He also faced indictments in New York and New Jersey. The New Jersey indictment was the one unsealed today, but had remained sealed since 2009.

Mitchell Epner, counsel to the law firm of Wilk Auslander and a former federal prosecutor in New Jersey, said, “It’s not unusual to have an indictment under seal for several years. Often times it is because the defendants are out of the country and you want to have the indictment in place to stop the statute of limitations from running out.”

The former prosecutor also explained that both the U.S. Attorney’s Office in New Jersey and the Department of Justice have been at the forefront of tackling these types of information technology and data privacy cases.

“This is very serious stuff,” Epner said. “The two offices recognize that if people really fear identity theft and credit card theft, they may stop using credit cards and then we go back to what retail was in the Seventies. It’s a lot less convenient when you have to rely on cash and not credit. Data breaches are not just crimes against the victims, but it also threatens the entire [payments] system,” the attorney said.

Epner explained why the premium at $50 was so high for a European credit card number and related data when compared with the American cost, noting that the fraud is discovered less quickly in Europe than with a card from North America and that the card’s value is heightened by how long one can use it before it being flagged.

“The whole value in stealing credit card information is the ability to use it to get real goods and services. These defendants can get more goods and services with a European credit card than a stolen U.S. credit card. Someone handing over a U.S. credit card to a shop, but who doesn’t look like an American, will set off red flags,” he said.

“This type of crime is cutting-edge,” said New Jersey U.S. Attorney Paul J. Fishman. “Those who have the expertise and the inclination to break into our computer networks threaten our economic well-being, our privacy and our national security.”

Fishman’s office disclosed that the defendants covered their tracks through encrypted communications or by meeting in person. They also allegedly altered the settings of infiltrated networks to disable security mechanisms from logging their actions, as well as evade security software protections.

Of the retailers and credit firms, 7-Eleven declined comment, while only Wet Seal responded to questions as of press time. Alyson Barker, Wet Seal’s general counsel, said, “In May 2008, we became aware that a criminal group obtained unauthorized access to our information systems in an attempt to steal credit and debit card data of our customers. Through an investigation led by an independent, third-party computer forensics firm, and corroborated by members of the U.S. Secret Service and U.S. Department of Justice, we found no evidence to indicate that any customer credit or debit card data or other personally identifiable information was taken. In working with the major credit card processing agencies, we also identified no instances of fraud to suggest that any such data was taken.

“Since 2008, Wet Seal has implemented numerous system enhancements to eliminate our vulnerability to this type of attack. The security of our customers’ personal information is of utmost importance to us, and we acted quickly and decisively when this matter arose five years ago. We are pleased that time has proven, as we believed from the outset, that none of our customer information was taken.”

Charges in Thursday’s 11-count indictment ranged from conspiracy to unauthorized access to computers to wire fraud. The maximum term of imprisonment for some charges is five years and for other charges, as much as 30 years. No trial date has been set.

Two of the defendants were arrested while traveling in the Netherlands. Three others remain fugitives. In addition, one of the men who remains at large is also the subject of two federal indictments from the U.S. Attorney’s Office in Manhattan. One indictment is for the alleged hacking of computer servers used by Nasdaq and the other for alleged stealing of bank account information by hacking U.S.-based financial institutions.

Assisting in the investigation that led to the indictment disclosed on Thursday included special agents from the U.S. Secret Service, public prosecutors with the Dutch Ministry of Security and Justice, as well as the U.S. Attorney’s Offices in Kansas and Georgia.