Report Button



US man charged with stealing 130 million payment card details

In what security experts are calling 'the largest ever identity theft case in modern history', a US man has been charged with stealing data relating to 130 million payment cards.

The 28-year-old man - Mr Albert Gonzales - is alleged to have worked with two as yet unnamed Russian colleagues, in gaining unauthorised access to a variety of retailer's IT systems, including those operated by 7-Eleven, Hannaford Brothers and Heartland Payment Systems.

If convicted, Mr Gonzales could face up to 20 years for wire fraud and a further five years for conspiracy. Reports also suggest he would have to pay a fine of $500 000 for the two main charges against him.

According to the indictment, the trio researched the credit and debit card systems used by their victims, attacked their networks and sent the data to computer servers they operated in California, Illinois, Latvia, the Netherlands and the Ukraine.

Mr Gonzalez is already in jail in connection with the alleged hacking of the computer systems of a national restaurant chain and eight major retailers, including TJ Maxx.

Commenting on the case, Graham Cluley, a senior technology consultant with Sophos, the IT security software vendor, told Infosecurity that the charges against Mr Gonzales relate to a great many database incursions and card data hacks.

"It's not just about SQL attacks, as has been reported in some quarters. It also involved wireless network sniffing and a variety of other hacker methodologies," he said.

"More than anything, the case underlines the fact that you need to harden your company's IT resources against all forms of attack, and not just one or two," he added.

According to Cluley, IT managers need to do a "bunch of stuff" to secure their systems.

"You need to ensure that as few of your systems as possible are public-facing and protected from internal threats. You also need to only allow those employees that need access to the data, to actually have access."

"IT managers must also look at encrypting company data, whether it is on the move, or whether it is at rest."

Other issues such as controlling the use of portable data devices - USB sticks especially - also need to be addressed, he said.

This article is featured in:

Data LossInternet and Network SecurityWireless and Mobile Security

Read it from the infosecurity website here.