Navigation

TJX, Heartland Hacker Convicted and gets 20 Years!

Oct 26, 2010

Hacker Sentenced to 20 Years for Breach of Credit Card Processor * By Kim Zetter Email Author * March 26, 2010 | * 3:11 pm | * Categories: Breaches, Crime, Cybersecurity, Hacks and Cracks
*
BOSTON — Convicted TJX hacker Albert Gonzalez was sentenced to 20 years and a day, and fined $25,000 on Friday for his role in breaches into Heartland Payment Systems, 7-Eleven and other companies.

The sentence will run concurrently with a 20-year sentence he received on Thursday in two other cases involving hacks into TJX, Office Max, Dave & Busters restaurants and others, so it adds only one day to his total prison term. Restitution will be decided at a future hearing.

“I understand the road to redemption will be long,” said Gonzalez, 28, before the sentence was pronounced. soup_nazi-2001-defcon1

Albert Gonzalez at the 2001 DefCon hackers' convention in Las Vegas

Gonzalez, who once dubbed his criminal enterprise “Operation Get Rich or Die Tryin’,” had faced a sentence of between 17 and 25 years for the intrusions.

He was indicted last August — along with two unnamed East European hackers known only as “Grigg” and “Annex” — on charges of hacking into Heartland Payment Systems, a New Jersey card-processing company, as well as Hannaford Brothers supermarket chain, 7-Eleven and two unnamed national retailers.

Lawyers representing the two unnamed companies spent 30 minutes Friday trying to persuade the court not to unseal documents identifying those retailers, who suffered breaches, but no known loss of sensitive customer data. In the end, U.S. District Judge Douglas Woodlock ordered the documents unsealed, paving the way for the companies to be identified. [Update: One of the companies has been confirmed as JC Penney, by the blog Storefront Backtalk, which reported last year that the company was believed to be among the targets. The second company is Wet Seal.]

According to the government, Gonzalez and an uncharged conspirator found the targets on a list of Fortune 500 companies and then did reconnaissance to determine the payment-processing systems they used. They then uncovered vulnerabilities in the systems they could exploit.

Using a SQL-injection attack, the hackers broke into the 7-Eleven network in August 2007, stealing an undetermined amount of card data. They used the same kind of attack to infiltrate Hannaford Brothers in November 2007, which resulted in 4.2 million stolen debit and credit card numbers; and into Heartland on Dec. 26, 2007. Of the two unnamed national retailers mentioned in the affidavit, one was breached on Oct. 23, 2007, and the other sometime around January 2008.

Once on the networks, the hackers installed back doors to provide them with continued access. They tested their malware against 20 different antivirus programs to make sure they wouldn’t be detected, and also programmed the malware to erase evidence from the hacked networks to avoid forensic detection.

The initial breach into Heartland was confined to the company’s corporate network, which was separate from its card-processing network. But by May 2008, the hackers had jumped to the processing network. Heartland discovered the hackers on its network only in January 2009 after being told by credit card companies that it might have been breached.

According to prosecutors, the breach of Heartland and Hannaford resulted in a data theft on 130 million credit and debit cards. The company claimed losses of $130 million.

Although Gonzalez pleaded guilty to the charges, his attorney said in a sentencing memo that he played only a peripheral role in this case, as opposed to the ringleader role he played in the TJX hack.

According to the memo, the intrusions and data theft in this case were conducted by “Grigg” and “Annex,” and Gonzalez learned of the breach only after the fact. He also did not participate in the sale of the stolen card data “nor did he profit from any of the intrusions at issue in this case.”

His only role was to provide the hackers “with certain services he controlled” and to ask another hacker to modify malware that one of the East European hackers might have designed.

He had only “minor and insignificant” involvement in the 7-Eleven intrusion as well. For this reason, he should receive the minimum sentence, his attorney argued.

Gonzalez’s crimes were committed mostly between 2005 and 2008 while he was drawing a $75,000 salary working for the U.S. Secret Service as a paid undercover informant.

“It would take an enormous number of robberies to capture the amount of money” stolen by Gonzalez and his crew, Woodlock told the hacker. “This is real time. And it’s meant to deliver a message to others.”

Source: wired.com

Read More http://www.wired.com/threatlevel/2010/03/heartland-sentencing/#ixzz13VXz9Juq

PREVIOUS POSTS
Oct 08.10 | Visa and MasterCard delay chip rollout until March 31,2011! Source: CBC News

Visa and MasterCard delay chip rollout until March 31,2011! read more

Sep 16.09 | Hacker charged with Heartland, other breaches Robert Lemos, SecurityFocus 2009-08-18

read more

Jul 02.09 | RBS WorldPay and Heartland back on the validated Visa PCI DSS compliant list

RBS WorldPay regains spot on Visa's PCI compliance list
read more

Apr 20.09 | PCI DSS is not design to be attained like your Girl or Boy Scout Badge

read more

Sep 30.08 | Second Annual Payment Card Industry Community Meeting - Oh What a Difference A Year Makes!

read more

Aug 25.08 | TOP 10 List of Ways to Create a “Security Culture” Within an Organization

Al Decker and Rebecca Whitener, two security experts from Texas technology services company EDS, have compiled a top 10 list of ways to create a "security culture" within an organization. The two say that with security breaches and identity theft on the rise, protecting information is the responsibility of everyone in an organization. read more

Jul 25.08 | Ted Hart launches Green Nonprofits organization www.greennonprofits.org

"For years I've heard from nonprofits around the world of their interest to support and protect the environment. Because they did not perceive themselves to be experts, it was unclear what they could do to make a difference and still run a successful nonprofit/NGO. Today, GreenNonprofits, Inc. provides that answer; provides that path for every nonprofit around the world to make significant changes that when combined together will create a powerful force for the greening of this industry." - Ted Hart, CEO

GreenNonprofits was founded to be an accessible source of information about greening your nonprofit workplace, and to be a desktop tool for any nonprofit to become green[er].

As people and corporations around the world become more "green" they in turn expect the nonprofits they support to also take proactive steps to protect the environment. GreenNonprofits will lead the way in helping Nonprofits/NGOs around the world meet this challenge. "Ted Hart, CEO" read more

Jan 14.08 | Convio Security Breach and (PCI DSS) Payment Card Industry Data Security Standards

I find it interesting that I see no mention in any of Convio's follow up information of the required and mandatory Payment Card Industry Data Security Standard's compliance certificate for service providers in our industry. read more

ARCHIVE