Feds Indict Five in Largest Known Credit Card Data Breach
In July the United States federal government indicted five men in a worldwide hacking and data breach scheme--the largest of its kind in the country--that stole over 160 million credit card numbers and added up to hundreds of millions of dollars in losses.
According to New Jersey U.S. Attorney Paul J. Fishman, the defendants attacked corporations that conducted financial transactions, retailers that transmitted and received financial data and other institutions that had information the defendants could use for their personal profit. The defendants are charged with making attacks on NASDAQ, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard.
"This type of crime is the cutting edge," U.S. Attorney Fishman said in a statement. "Those who have the expertise and the inclination to break into our computer networks threaten our economic well-being, our privacy, and our national security. And this case shows there is a real practical cost because these types of frauds increase the costs of doing business for every American consumer, every day. We cannot be too vigilant and we cannot be too careful."
The U.S. Secret Service Criminal Investigations unit led the investigation, which claims that the five defendants, who hail from Russia and the Ukraine, conspired with others to get into the computer networks of many large payment processors, retailers and financial institutions around the world by breaching the network to steal data, getting unauthorized access to a network to add malware on it, or conducting an SQL Injection Attack that put malware on the network to steal information. The malware--sometimes on company computer servers for over a year--then allowed the defendants to easily get into the system to steal data.
The scheme lasted many years, starting as early as August 2005. One of its earliest attacks was in May 2007, when it was able to breach the NASDAQ stock exchange network. Over the next several months, the group allegedly continued attacking NASDAQ's network until it was able to sustain access and take data. Another early conquest was breaching the French retailer Carrefour's network, which resulted in the taking of about two million credit card numbers.
The group continued its attacks through 2012, when it got into the computer network Ingenicard, an ATM network. Through malware installation, one of the defendants was able to take 23 card numbers. With this stolen data, over $9 million was withdrawn from accounts in a one-day period.
While some companies were able to ward off some of these attacks, ultimately the defendants' persistence and patience won out in their ability to gain access to corporate information.
Once the defendants had access to a company's network, they used "sniffers," or programs that could hunt out, collect and steal data from the breached networks. Then the defendants used a number of servers all over the world to store and sell the stolen data.
The defendants allegedly collected credit card numbers and the data that went with them from their victims and sold it in online forums that specialized in identity theft through stolen credit cards. American credit card numbers and their data were worth $10 each; Canadian numbers and data were sold for $15 each; and European numbers and data went for $50 each. Once in the hands of new owners, the credit card numbers were put onto magnetic stripe cards that were used either to withdraw money from ATMs or make purchases.
The attacks and resulting fraud added up to hundreds of millions of dollars in losses, including over $300 million that was reported by three companies. The losses added up as the theft trickled down to average people who found themselves the victims of identity theft.
The five defendants are facing varying counts of fraud for the different violations, each of which comes with a maximum prison sentence of five years and up to 30 years per count, along with a fine.