The “I am legend” of the hacking and data theft world, Albert Gonzales, decided to plead guilty and now faces 15 to 25 years in jail. Gonzales is accused of masterminding a hacking circle that stole 130 million credit and debit card numbers from major retail chains such as Barnes and Noble, T.J. Maxx, Sports Authority, and OfficeMax.
According to The Register, Gonzales, who also used to be a government informant, agreed to plead guilty to 19 felony counts in Massachusetts by September 11. He also intends to plead guilty to a New York indictment accusing him of similar crimes that targeted 11 Dave & Buster’s restaurants. And that’s not all!
The deal does not cover a third indictment in New Jersey against Gonzalez related to the alleged theft of data from more than 130 million credit card accounts from card payment processor Heartland Payment Systems and retailers Hannaford Brothers and 7-Eleven.
In what money is concerned, Gonzales will also say goodbye to nearly 1.65 million US dollars in cash, his Miami condominium, a 2006 BMW, laptop computers, three Rolex watches, and then some more!
Security magazines and news sites have been raving about the case of Albert Gonzales. This man holds a record no one is really proud of: he has been charged with the largest number of stolen credit and debit cards accounts, about 130 million of them.
The story of Gonzales is rather complicated. After being indicted in May in the TJX breach – the one thought to be the largest in history until recently, it is said Gonzales has worked with the authorities to help them find all those involved in breaches he had taken part in. While his defense lawyer was looking forward to a settlement, new charges have surfaced. The federal authorities have charged him for attacks that breached credit card processor Heartland Payment Systems, retailers 7-Eleven and Hannaford Brothers, and a couple of other companies.
Gonzales seems to be behind all the largest data heists of the past few years:
- 130 million credit and debit card accounts taken from Heartland Payment Systems’ servers
- at least 94 million credit and debit card accounts stolen from TJX
- 4.2 million accounts were stolen from Hannaford’s servers
According to DarkReading, all the attacks Gonzales was involved in used familiar, easy to prevent methods to obtain the information they wanted:
While the attacks appear to be phased-in and coordinated, the attackers didn’t employ any hacks that the victim organizations could not have defended against, experts say. SQL injection, for instance, is the most commonly exploited flaw in Web attacks, according to data from the Web Hacking Incident Database.
Fortunately, Gonzales is being held responsible for the breaches. Let’s just hope no one gets their minds on setting a new record! Apparently, it’s easy to achieve.
Remember TJX? The company who had experienced the largest data breach in history? The one that exposed at least 45.7 million debit and credit card accounts to fraud, theft and other menaces? Yes, that TJX. This company is the perfect show case to scare off companies into implementing an effective endpoint security and data loss prevention solution. Because the amounts they kept paying since having discovered the breach simply make us a little dizzy. Ok, a lot
The latest TJX related news is of a lawsuit settlement of 9.75 million dollars reported by Search Security. The lawsuit was brought by Attorney Generals in 41 states and according to the settlement the sum will be devided as follows: 2.5 million to create a data security fund for states, a settlement amount of 5.5 million and 1.75 million to cover expenses related to the states’ investigations.
According to reports from early 2009, TJX had paid a 40.9 million dollars settlement and organized a big time sale for its customers throughout North America, to compensate for the data breach damage. The same source stated TJX had prepared a 118 million dollars fund to deal with the consequences. Well, they probably can afford it. Can your company afford 20% of that? If not, or you’d rather do something constructive with your data, take control of your confidential data now. Not later, now
We’ve all come to refer to the TJX data breach as the largest one in history, with an estimated 45.7 million credit card accounts exposed through a brech in the discount retaler’s wireless network. Some even place the number of affected acounts in the vicinity 94 million. Whichever the real number is, it is huge, scary and as it has happened over a significant period of time, it got plenty of coverage.
In the recovery process, they had to pay 40.9 million dollars to settle a lawsuit, but according to the Register TJX had created a 118 million fund to pay for breach-related damages in August 2007. 11 people were charged in relation with the data theft and some trials are still ongoing. The retailer has made an attempt to close this dark chapter for good by offering one-day 15 percent discounts in all its US and Canadian stores, as a token of their appreciation for the customers “for retaining their loyalty after it did such a bad job of retaining their records”.
Nice strategy to reward customers, build trust and boost sales at the same time! But I believe they need to implement all the cutting edge security toys in the market and make every new added layer of protection public to ease the minds of those affected.
The FBI has arrested 11 people in the case of the largest identity theft and data breach in history that targeted TJX and other companies. The suspects of which three are US citizens are believed to have taken part in the theft of over 40 million credit and debit card accounts from 9 major retailers and restaurants. Stealing that much data was possible after installing malicious software on the systems of TJX Companies, BJ’s Wholesale Club, OfficeMax, Barnes & Noble, Sports Authority, Forever 21, DSW, Dave & Busters and Boston Market.
Never surpassed in the time it has passed has been covered constantly by the media. The Reigster tells the story of the breach in a recent article: in the beginning of 2007, TJX first reported the a breach by unknown idividuals who had at the time stolen 46.5 million credit cards, number later proved to be twice as high. According to the Register, the fraud have been going on for quite a while when TJX reported it, as a year earlier industry watchers had noticed an unusual increse in debit card fraud at retailers OfficeMax and Sam’s Club.
US Attorney of Massachussets and the US Attorney General had both commented on the issue:
“While technology has made our lives much easier it has also created new vulnerabilities,” Michael J. Sullivan, US Attorney for the District of Massachusetts, said in a statement announcing the indictments. “This case clearly shows how strokes on a keyboard with a criminal purpose can have costly results.”
“They used sophisticated computer hacking techniques, breaching security systems and installing programs that gathered enormous quantities of personal financial data, which they then allegedly sold to others or used themselves,” US Attorney General Michael Mukasey said in prepared remarks. “And in total, they caused widespread losses by banks, retailers, and consumers.”
Other than having a sophisticated and high end technique of stealing the information, the ring of thieves also had multiple way to turn the theft into profit, either by selling the data to other criminals or by using it to create fake cards and withdraw thousands of dollars at a time.
The eleven arrested individuals are from the United States, Estonia, Ukraine, the People’s Republic of China and Belarus. The FBI is still in pursuit of another member of the group who is only known by his online alias and continues to elude authorities. Let’s hope he’s caught soon enough!