In what’s claimed to be the biggest case of identity theft in history, US prosecutors have charged a man with stealing data relating to 130 million credit and debit cards.
In what’s claimed to be the biggest case of identity theft in history, US prosecutors have charged a man with stealing data relating to 130 million credit and debit cards.
Officials say Albert Gonzalez, 28, and two un-named Russian co-conspirators hacked into the payment systems of many US retailers, including the 7-Eleven chain.
Prosecutors say they aimed to sell the data potentially worth between US$1.3 billion and $130 billion. If convicted, Gonzalez faces up to 20 years in jail for wire fraud and five years for conspiracy, along with $500,000 in fines. He is already in jail awaiting trial on charges of having hacked more than 40 million credit-card numbers from US apparel and home fashion chain TJX.
Gonzalez, known online as “SoupNazi”, used a technique known as an “SQL injection attack” to access databases used for money transfers and steal information, the US Department of Justice said. This exploits any vulnerability in a firewall and inserts a code to gather information.
Investigators say Gonzalez is a high-school graduate and self-taught programmer who cut his criminal teeth as a leader in the self-styled Shadowcrew, an online credit-card hacking ring busted in 2004.
He launched what he called “Operation Get Rich Or Die Tryin,” targeting Fortune 500 companies with data-theft operations, but avoided arrest by becoming a Secret Service snitch.
Documents filed in court say he threw himself a $75,000 birthday party and at one point lamented he had to count more than $340,000 in $20 notes by hand because his money counter had broken. The notes had been stolen from ATMs.
In the latest case, it’s alleged Gonzales and his unnamed co-conspirators in Russia used a network of computers spanning New Jersey, California, Illinois, Latvia, the Netherlands and Ukraine to infiltrate the computer networks of victim companies.
The trio allegedly scooped up credit- and debit-card numbers and installed so-called back doors in the victims’ computer networks to enable them to steal more data in the future, the indictment said. They also installed “sniffer” programs to capture card data and send it to the hackers.
The indictment didn’t estimate the losses associated with the alleged activities, but The Wall Street Journal notes that typically hackers sell batches of credit-card data online the current asking price is said to range between US$10 and $100 per account profile, depending on the account’s limit.