Three men arrested in largest-ever data breach

Three men were indicted in New Jersey on August 17 for stealing more than 130 million credit and debit card numbers, according to the US Department of Justice. It is the largest hacking and identity theft case ever prosecuted by the Justice Department.

The information was hacked from five corporate entities: Heartland Payment Systems, Princeton, NJ; 7-Eleven Inc. and Hannaford Brothers Co., as well as two unidentified corporate victims as being hacked by the co-conspirators.

The two-count indictment alleges that Albert Gonzalez of Miami, Fla. and two unnamed co-conspirators (“Hacker 1” and “Hacker 2,” both of Russia) orchestrated attacks through what is known as a SQL-injection attack that exploits security vulnerabilities in elements of a computer that receives user input. The first count charges conspiracy to gain unauthorized access to computers, commit fraud in connection with computers and damage computers; and the second count charges conspiracy to commit wire fraud.

Each defendant faces a maximum of five years in prison on the first count, and an additional 30 years on the second count. In addition, each of them is subject to a maximum fine of $250,000 for count one and $1 million for count two, or twice the gain resulting from the offense, whichever is greater.

Gonzalez was previously indicted in the Eastern District of New York in May 2008 and the District of Massachusetts in August 2008 for his involvement in conspiracies relating to data breaches of companies such as TJX Companies, Dave & Busters, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW. He was also arrested in New Jersey in 2003 for his role in ATM and debit card fraud.