The three culprits, one American and two unnamed Russians, are responsible for stealing more than 130 million credit and debit card numbers in 2007. They infiltrated the computer networks of Heartland, a credit card payment processing center, as well as several national retailers and supermarket chains.
A portion of the credit card numbers were then sold online and some of the numbers were used to make unauthorized purchases and withdrawals from banks.
The primary culprit, Albert Gonzalez, 28, of Miami, has a long history in white collar crimes.
Mr. Gonzalez was arrested in May last year in conjunction with another high-profile data theft at the Dave & Buster’s restaurant chain. He has also been indicted in other thefts of credit and debt cards, including the much publicized 2005 data breach of TJ Maxx stores.
The irony Mr. Gonzalez once worked with federal investigators. In 2003, after being arrested in New Jersey on hacking charges, he worked to help the U.S. Secret Service identify an online underworld where stolen credit and debit card numbers are bought and sold.
How did they do it?
They went through the list of Fortune 500 companies and decided which corporations they would target. Then, they visited their stores to monitor which payment systems were being used. Their online attacks took advantage of flaws in the SQL programming language, which is commonly used for databases.
The defendants placed malware “sniffer” programs onto the corporate networks, which intercepted credit card transactions in real time and transmitted the numbers to computers they had leased in the United States, the Netherlands and the Ukraine.
The conspirators attempted to erase all digital footprints left by their attacks but failed.
Will they get 35 years in prison?
It seems each defendant faces the possibility of 35 years in prison and more than $1 million in fines, or twice the amount they made from the crime, whichever is greater. But we shall see what the actually sentence truly ends up being. Unfortunately, white collar crimes still don’t get much in the way of punishment and so they continue to be the fastest growing.
It seems Mr. Gonzalez lived a lavish lifestyle in Miami, once spending $75,000 on a birthday party for himself and complaining to friends that he had to manually count thousands of $20 bills when his counting machine broke.
What should the banks and businesses do
Heartland, one of the world’s largest credit and debit card payment processing companies, had announced in January that its network had been breached but declined to provide many details which is common practice and perfectly legal. These laws need to be changed because it creates many security violations to consumers.
This case is just more evidence that retailers and banks need to strengthen their industry standards and encrypt credit card numbers when they are transmitted between computers. Currently, major banks only agree to encrypt such data when it is stored.