WASHINGTON - Federal prosecutors Monday charged a Miami man with the largest case of credit and debit card data theft ever in the United States, accusing the one-time government informant of plotting to swipe 130 million accounts on top of 40 million he stole previously.
Albert Gonzalez, 28, broke his own record for identity theft by hacking into retail networks, according to prosecutors, though they said his illicit computer exploits ended when he went to jail on charges stemming from an earlier case.
He was charged in 2008 with illegally obtaining the credit card information of 5,000 customers at a Dave & Buster's in Islandia. He pleaded not guilty.
In the latest case, he was indicted Monday by a federal grand jury in New Jersey and charged with conspiring with two other unnamed suspects to steal the private information and sell it to others, according to prosecutors.
Gonzalez and the other hackers living "in or near Russia" were indicted on a charge of allegedly stealing data from Heartland Payment Systems Inc., 7-Eleven Corp., Delhaize Group's Hannaford Brothers Co., a regional supermarket chain, and two unidentified national retailers.
Gonzalez allegedly devised a sophisticated attack to penetrate the computer networks, steal the card data and send that data to computer servers in California, Illinois, Latvia, the Netherlands and Ukraine.
Gonzalez and the two others stole 130 million card numbers from Heartland, a bank-card payment processor, starting in December 2007, by using malicious computer software, according to the 14-page indictment. An undetermined number of card numbers were stolen from 7-Eleven and 4.2 million from Hannaford.
"The scope is massive," said Assistant U.S. Attorney Erez Liebermann. "This guy worked very, very hard at something he was very good at.
He found the right people to successfully accomplish his objective, which was to identify victim corporations and steal credit and debit card numbers."
Targeted Fortune 500
An attorney for Gonzalez, Rene Palomino Jr., didn't immediately return a call.
In the latest case, the hackers scouted potential victims by reviewing a list of Fortune 500 companies and then visiting retail stores to identify the payment processing systems and their vulnerabilities, prosecutors said. They used malicious software known as malware and so-called injection strings to attack the computers and steal data, prosecutors said.
They installed "sniffer" programs to capture data "on a real-time basis" as it moved through the computer networks, and used instant messaging services to advise each other on how to navigate the systems, according to the indictment.
They also programmed malware to evade detection by anti-virus software and erase files that might detect its presence, prosecutors said.
Malicious software found
Heartland, based in Princeton, N.J., is used by 175,000 businesses at 250,000 locations. The company said Jan. 20 that it found "malicious software" in its processing system that hackers used to steal data in 2008.
At the time, that was believed to be the biggest single case of hacking private computer networks to steal credit card data, puncturing the electronic defenses of retailers including T.J. Maxx, Barnes & Noble, Sports Authority and OfficeMax. Prosecutors charge Gonzalez was the ringleader.