Accessibility links

U.S. Prosecutors Charge Three In Largest Identity Theft In History


The three men are alleged to have stolen credit-card information from the U.S. convenience store chain 7-Eleven, the Hannaford Brothers supermarket chain, and a major credit-card payment processor, Heartland Payment Systems.

The three men are alleged to have stolen credit-card information from the U.S. convenience store chain 7-Eleven, the Hannaford Brothers supermarket chain, and a major credit-card payment processor, Heartland Payment Systems.

(RFE/RL) -- Officials in the United States have charged a 28-year-old American man and two foreign accomplices -- identified as "having resided in or near Russia" -- with data theft from an estimated 130 million credit and debit cards.

That makes it the largest recorded identity theft in U.S. history.

On August 17, prosecutors indicted the three men for breaching corporate data systems on five occasions between 2006 and 2008. They are alleged to have stolen credit-card information from the U.S. convenience store chain 7-Eleven, the Hannaford Brothers supermarket chain, and a major credit-card payment processor, Heartland Payment Systems.

The American, identified as Albert Gonzalez, was charged last year in a separate case with stealing the data of 40 million credit-card accounts. At the time, this was believed to have been the largest credit-card fraud to date.

Gonzalez has been in custody since May 2008, when he was indicted in that case. Among his online monikers, he used the name "soupnazi."

The two others indicted on August 17 have no connection to the case brought against Gonzalez in 2008, according to prosecutors. The men are unnamed in the indictment, where they are simply referred to as "Hacker 1" and "Hacker 2."

The text of the indictment describes the men as having "resided in or near Russia." Prosecutors have not said where the men currently are.

Eastern Connections

The three men identified potential targets by reviewing a list of Fortune 500 companies. They then probed the vulnerabilities of the data-security systems of the potential victims.

To carry out the actual attack, the co-conspirators used sophisticated computer techniques. According to prosecutors, the men employed what is called an "SQL injection attack," which allows the hacker to bypass system firewalls. They placed harmful software, known as malware, to allow them access to the networks at a time of their choosing.

They also took special care to erase all possible indications of the security breaches to avoid discovery. The stolen data was sent to servers in California, Illinois, the Netherlands, Latvia, and Ukraine. Mentioned repeatedly in the indictment, the Ukrainian server seems to have been particularly important in the plot.

While the two foreigners indicted on August 17 are not connected to the case brought against Gonzalez's in 2008, this earlier case also showed relationships between Gonzalez and Eastern European individuals. Of the 11 people charged in the case last year, one is from Estonia, one is from Belarus, and three are from Ukraine. In addition, computer servers in Latvia and Ukraine were important in that scheme.

The latest case against Gonzalez and his two co-conspirators is being prosecuted by the New Jersey U.S. Attorney's office and the Department of Justice's Computer Crime and Intellectual Property section. The investigative agency handling the case is the U.S. Secret Service.

There is an ironic twist to the role of the Secret Service in bringing about the latest indictment. Gonzalez had previously worked as an informant at the Secret Service, helping the agency catch computer hackers.

For the charges laid out in the indictment, each defendant faces up to 35 years in prison, if convicted, along with considerable financial penalties.

compiled from news agency reports
XS
SM
MD
LG