The Justice Department's latest charges involving 130 million credit card numbers stolen between 2006 and 2008 will have to wait until two other cases against Gonzalez are heard. Gonzalez has been in custody since May 2008, when he was arrested for stealing credit card data at Dave & Buster's. He was also indicted in another identify theft case, including data breaches at T.J. Maxx. He is awaiting trial in New York on the Dave & Buster's case, then will face trial in Massachusetts on the T.J. Maxx breach, before he will face trial in New Jersey on the latest breach.
The indictment yesterday involved stolen data from Heartland Payment Systems (HPY) and 7-Eleven stores. You may remember Heartland admitting to this breach around the time of President Obama's inauguration. Heartland admitted at that time that 600 million or more cardholders' data was vulnerable, but data security experts thought far fewer accounts were actually tapped. Cardholder names were exposed after attacks on its computer system at a point when data had not been encrypted.
Heartland processes data for Visa, MasterCard, American Express and Discover. At one point Visa removed Heartland from its list of companies in compliance with the Payment Card Industry Data Security Standard (PCI DSS). In May Heartland was given a clean bill of health by Visa.
Erez Liebermann, an assistant U.S. attorney in the Justice Department's New Jersey Office, believes that Gonzalez's involvement in so many data breaches suggests that identity thieves may be a closer knit group than previously realized. Gonzalez worked with two unnamed Russian hackers to pull off the 130 million credit card theft. Federal prosecutors now believe that Gonzalez secretly reconnected using other online names, such as Segvec and Cumbajohnny while still working with the Feds.
According to the new indictment Gonzalez and his co-conspirators picked corporations in the Fortune 500 and then monitored the payment systems used. They created and placed "sniffer" programs on corporate networks. These programs intercepted credit card transactions in real time and transmitted numbers to computers the defendants leased in the U.S., the Netherlands and Ukraine.
Banks and other corporations clearly need to strengthen industry standards and encrypt credit card numbers when they are transmitted between computers. Currently major banks only encrypt data when stored.
Lita Epstein has written more than 25 books including The Complete Idiot's Guide to Improving Your Credit Score."