What does the largest credit card theft teach us?

A 28-year-old man was charged with the largest credit card theft ever in the United States, in which more than 130 million card numbers were stolen, the US Justice Department said. Albert Gonzalez, of Miami, Florida, and two co-conspirators were accused of hacking into the computer networks of firms supporting major American retail and Financial organizations and stealing data.


The two co-conspirators were not named and were identified in the indictment handed down in New Jersey only as ”Hacker 1″ and “Hacker 2” living “in or near Russia.” Beginning in October 2006, Gonzalez used a sophisticated hacking technique to get around firewalls and steal information related to more than 130 million credit and debit cards, the Justice Department said in a statement. “The scheme is believed to constitute the largest hacking and identity theft case ever prosecuted by the US Department of Justice,” the US Attorney’s Office for the District of New Jersey said.


Targeted companies included Heartland Payment Systems, a New Jersey-based card payment processor; 7-Eleven Inc., a Texas-based nationwide convenience store chain; and Hannaford Brothers Co. Inc., a Maine-based supermarket chain. Gonzalez and his co-conspirators sent stolen data to computer servers they operated in Latvia, the Netherlands, the United States and Ukraine and used “sophisticated hacker techniques to cover their tracks and to avoid detection by anti-virus software used by their victims,” the Justice Department said.


Gonzalez, who operated online as “segvec,” “soupnazi” and “j4guar17,” was charged with conspiracy and conspiracy to engage in wire fraud. If convicted, he faces up to 20 years in prison for wire fraud conspiracy and an additional five years in prison for conspiracy as well as a fine of 250,000 dollars for each charge. Gonzalez is scheduled to go on trial in New York next month on separate charges for allegedly hacking into the computer network of a national restaurant chain. He is facing a separate trial next year in yet another case, in which he is accused of hacking into the computer networks of eight major retailers and stealing data related to 40 million credit cards.


The lessons are pretty simple…that there is really no Information Security Program that can prevent a security incident from happening. All IT Security initiatives can only lead to a state where the cost of higher protection is no longer justified considering the value of information that is being protected in the first place. So incase a security incident does happen, make sure your systems are configured so that event logs and audit trails capture the incident and can be reproduced as evidence.