Friday, September 11, 2009
WWW.USDOJ.GOV

WASHINGTON – An international computer hacker pleaded guilty today to multiple charges relating to hacking activity and credit card fraud, announced Assistant Attorney General of the Criminal Division Lanny A. Breuer, Acting U.S. Attorney for the District of Massachusetts Michael Loucks, U.S. Attorney for the Eastern District of New York Benton J. Campbell and Director of the U.S. Secret Service Mark Sullivan. More than 40 million credit and debit card numbers were stolen from major U.S. retailers as a result of the hacking activity.Albert Gonzalez, 28, of Miami, pleaded guilty today to 19 counts of conspiracy, computer fraud, wire fraud, access device fraud and aggravated identity theft relating to hacks into numerous major U.S. retailers including TJX Companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble and Sports Authority. Gonzalez was indicted in August 2008 in the District of Massachusetts on charges related to these hacks.Gonzalez also pleaded guilty to one count of conspiracy to commit wire fraud relating to hacks into the Dave & Buster’s restaurant chain, which were the subject of a May 2008 indictment in the Eastern District of New York...While Gonzalez has pleaded guilty to the Boston and New York charges, he has not pleaded guilty to charges pending in New Jersey and remains presumed innocent of those charges.The Boston case is being prosecuted by Assistant U.S. Attorneys Stephen Heymann and Donald Cabell of the District of Massachusetts. The New York case is being prosecuted by Assistant U.S. Attorney William Campos of the Eastern District of New York, and Senior Counsel Kimberly Kiefer Peretti and Trial Attorney Evan Williams of the Criminal Division’s Computer Crime and Intellectual Property Section. All of these cases are being investigated by the U.S. Secret Service.(USDOJ)

MIAMI, Florida (AP) -Federal prosecutors on Monday August 17, 2009 charged a Miami man with the largest case of credit and debit card data theft ever in the United States, accusing the one-time government informant of trying to gain access to 130 million accounts. Albert Gonzalez, 28, broke his own record for identity theft by hacking into retail networks, according to prosecutors, though they say his illicit computer exploits ended when he went to jail on charges stemming from a previous case. Gonzalez is a former informant for the U.S. Secret Service who helped the agency hunt hackers, authorities say. The agency later found out that he had also been working with criminals and feeding them information on ongoing investigations, even warning off at least one individual, according to authorities. Gonzalez, who is already in jail awaiting trial in a hacking case, was indicted Monday in New Jersey and charged with conspiring with two other unnamed suspects to steal the private information. 

Three Men Indicted for Hacking into Five Corporate Entities, including Heartland, 7-Eleven, and Hannaford, With Over 130 Million Credit and
Debit Card Numbers Stolen

NEWARK, N.J. – An Indictment was returned today against three individuals who are charged with being responsible for five corporate data breaches, including the single largest reported data breach in U.S. history, announced Acting U.S. Attorney Ralph J. Marra, Jr.,along with Assistant Attorney General of the Criminal Division Lanny A. Breuer and United States Secret Service Director Mark Sullivan.The scheme is believed to constitute the largest hacking and identity theft case ever prosecuted by the U.S. Department of Justice.

The Indictment describes a scheme in which more than 130 million credit and debit card numbers together with account information were stolen from Heartland Payment Systems,Inc., based in Princeton, N.J., 7-Eleven, Inc., and Hannaford Brothers Co. In addition, the Indictment describes two unidentified corporate victims as being hacked by the coconspirators.

As alleged in the Indictment, between October 2006 and May 2008, Albert Gonzalez, 28, of Miami, Fla., acted with two unnamed coconspirators to identify large corporations, often by scanning the list of Fortune 500 companies and exploring corporate websites. Upon identifying a potential victim, Gonzalez and his coconspirators sought to identify vulnerabilities, both by physical observation and by online exploration. For example,according to the Indictment, Gonzalez and an individual identified in the Indictment as “P.T.” would go to the retail locations of their potential victims in an attempt to identify the
type of point-of-sale (“checkout”) machines utilized by the victim companies. After reconnaissance of the computer systems was completed, information would be uploaded to servers which served as hacking platforms. These servers, located in New Jersey and around the world, were used by the coconspirators to store information critical to the hacking schemes and to subsequently launch the hacking attacks.

According to the Indictment, the hacking attacks launched against the corporate victims consisted of what is known as a SQL-injection attack, which is an attack that exploits security vulnerabilities in elements of a computer that receives user input. Gonzalez provided some of the malicious software (malware) to his coconspirators, and they added their own as they sought to identify the location of credit and debit card numbers and other valuable data on the corporate victims’ computer systems.

The coconspirators often worked together on a real-time basis, contacting each other by instant messaging as they were improperly accessing the corporate victims’ computer systems, according to the Indictment. Once the target information was discovered, it would be stolen from the corporate victims’ servers and placed onto servers controlled by Gonzalez and the coconspirators. In addition to searching for credit and debit card data on the victims’ computer systems, the Indictment alleges that Gonzalez and the coconspirators installed “sniffers” which conducted real-time interception of credit and debit card data being processed by the corporate victims and subsequently stolen from the corporate victims’ computer servers.

The Indictment alleges that Gonzalez and the coconspirators employed numerous techniques to hide their hacking efforts and data breaches. For example, they allegedly accessed the corporate websites only through intermediary, or “proxy,” computers, thereby disguising their own whereabouts. They also tested their malware by using approximately twenty of the leading anti-virus products to determine if any of those products would detect their malware
as potentially unwanted. Furthermore, they programmed their malware to actively delete traces of the malware’s presence from the corporate victims’ networks. Upon stealing the credit and debit card data, Gonzalez and the coconspirators would seek to sell the data to others who would use it to make fraudulent purchases, make unauthorized withdrawals from banks and further identity theft schemes.

“This investigation marks the continued success of law enforcement in tracking down cutting edge hacking schemes committed by hackers working together across the globe,” said Marra.Marra added that the investigation was greatly facilitated by those companies that took a proactive approach in working with law enforcement to identify and stop hackers. “When companies make the decision to work with law enforcement and disclose a data breach at the earliest possible opportunity, it provides the best chance at apprehending a hacker and demonstrates that those corporate victims will actively defend their systems.”

A federal grand jury sitting in Newark, N.J., charged Gonzalez and two individuals identified only as “Hacker 1,” and “Hacker 2,” both in or near Russia, in the two-count Indictment. The first count charges conspiracy to (1) gain unauthorized access to computers, (2) commit fraud in connection with computers, and (3) damage computers. The second count charges conspiracy to commit wire fraud. Each defendant faces a maximum penalty of 5 years in
prison on Count One and an additional 30 years on Count Two, for a total of 35 years. In addition, each of the individuals is subject to a maximum fine of $250,000 per Count One,and $1 million per Count Two, or twice the gain resulting from the offense, whichever is greater.

Gonzalez was previously indicted in the Eastern District of New York on May 12, 2008, and the District of Massachusetts on August 5, 2008, for his involvement in different conspiracies relating to data breaches of multiple companies. He was also previously arrested in New Jersey in 2003 for his role in ATM and debit card fraud. Gonzalez is currently detained in the Metropolitan Detention Center in Brooklyn, New York.

Marra credited the Special Agents of the United States Secret Service, under the direction of Special Agent in Charge Cynthia Wofford, for their work in the investigation.

An Indictment is merely an accusation, and all defendants are presumed innocent unless and until proven guilty beyond a reasonable doubt.

The case is being prosecuted by Assistant U.S. Attorneys Seth Kosto and Erez Liebermann of the U.S. Attorney’s Office Computer Hacking and Intellectual Property Section, part of the Commercial Crimes Unit in Newark, New Jersey, and Senior Counsel Kimberly Kiefer Peretti of the Criminal Division’s Computer Crime & Intellectual Property Section.
(17/8/09USDOJ)