Millions of credit cards were compromised in a series of attacks
Trio indicted for largest data theft in US history
/v3-uk/news/1990872/trio-indicted-largest-theft-us-history
17 Aug 2009, Iain Thomson , V3
Three men, one US citizen and two Russians, have been indicted for the largest data theft in US history.
Albert Gonzalez, also known as 'segvec', 'soupnazi' and 'j4guar17', and two unnamed accomplices have been charged by the Department of Justice (DoJ) with conspiracy to illegally access computers and conspiracy to engage in wire fraud.
Gonzalez is already in custody for the hacking of eight major retailers in an attempt to steal the details of 40 million credit cards.
"This investigation marks the continued success of law enforcement in tracking down cutting-edge hacking schemes committed by hackers working together across the globe," said acting US attorney Ralph Marra.
The trio used an SQL injection attack from proxy servers in California, Illinois, Latvia, the Netherlands and Ukraine to attack retail sites, and took elaborate precautions to cover their tracks, such as testing their malware against 20 leading security vendors' software and designing the attack code so that it deleted data on its activities.
The men stole information from 7-Eleven, Miami supermarket chain Hannaford Brothers and Heartland Payment Systems among others. The DoJ said that the companies' co-operation had been key to catching the three.
"When companies make the decision to work with law enforcement and disclose a data breach at the earliest possible opportunity, it provides the best chance of apprehending a hacker, and demonstrates that those corporate victims will actively defend their systems," Marra said.
The three men each face 35 years in prison, plus a substantial fine. It is not known whether the two Russian team members have been arrested.
© Incisive Media Investments Limited 2010, Published by Incisive Financial Publishing Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, are companies registered in England and Wales with company registration numbers 04252091 & 04252093
Do you agree?
Keeping customers safe online
This scam highlights the vulnerability of web applications. Businesses can however put in place simple measures to stop their customers falling victim to threats such as the SQL injection attacks. Credit Card numbers should be monitored as a matter of course, so that any irregularities that put personal data at risk can swiftly be identified. Once personal details have been accessed, it will be difficult to retrospectively stop fraud from taking place. Proactive measures will help organisations feel more confident in the security of their infrastructure and, in turn, the details of their customers.
Posted by Graham Moore, e-retail specialist, Zeus Technology, 19 Aug 2009
A good step toward securing financial information
Monday's indictment of three hackers, who are charged with committing one of the largest credit card thefts in history, is a good step toward securing the nation's financial information. By holding the individuals accountable for their actions, we send a strong message to would-be hackers. The incident also shines a focus on the importance of collecting log records, which document security breaches so that they can be discovered and responded to. Without logs, there is no evidence, and without evidence law enforcement cannot even start an investigation. It is important to treat and protect log data as critical evidence as a standard practice in order to ensure that this electronic evidence will be admissible in court. With a log management solution in place before a breach occurs, the organisation is prepared to collect, store, and maintain chain of custody of those logs so that they are admissible in a court of law, thereby enabling prosecutors to bring the criminals to justice.
Posted by Dominique Levin, VP Marketing and Strategy at LogLogic Inc, 19 Aug 2009