Shortly after the hearing on Tuesday, Reuters identified Target (TGT) as one of the retailers affected, though Target said the breach lasted only a short time. U.S. Attorney Erez Liebermann said in August that the vast majority of the stolen card information came from Heartland Payment Systems.Gonzalez, a former Secret Service informant, pleaded guilty to two counts of conspiracy to gain unauthorized access to computers and to commit wire fraud. As part of the plea deal prosecutors agreed not to ask for more than 25 years and Gonzalez agreed not to ask for less than 17 years. Gonzalez already faces 15 to 25 years in two earlier federal cases involving intrusions into Dave & Buster's restaurants and the retail company TJX. Gonzalez is set to be sentenced on March 18. Prosecutors want his sentences to run concurrently.
One of Gonzalez's hacks led to $180,000 in stolen cash from Citibank machines in the Upper East side of New York in just three days. When the case was fully investigated, it ended in 10 arrests and a final tally of at least $2 million dollars stolen. These crimes started with a breach of the public website of 7-Eleven. Gonzalez admitted to conspiring in this breach and cited two Russian associates, Hacker 1 and Hacker 2, who go by the names "Grigg" and "Annex."
The Russians used SQL injection vulnerability (a technique that exploits a security vulnerability occurring in the database layer of an application) to gain unauthorized access to 7-Eleven's servers through 7-Eleven's public-facing Internet site, and then used that access to gain access to servers supporting ATM terminals located in 7-Eleven stores, according to the plea agreement. On or about November 9, 2007, 7-Eleven disabled its public-facing Internet site to stop the unauthorized access.
At the time, there were 5,500 Citibank-branded ATMs at 7-Eleven stores around the country. According to SEC documents, 7-Eleven ran its own transaction-processing server to handle 2,000 of them using Vcom machines, manufactured by NCR. The 7-Eleven Vcoms support special functions like bill payment, check cashing and money-order purchases. For a two week period in September 2007, anyone who typed a PIN in one of these ATMs was exposed.
As part of his plea bargain, Gonzalez told prosecutors that the hackers breached at least four card processing companies, as well as a series of foreign banks, a brokerage house and several retail store chains, according to a sentencing memo filed earlier in December. The memo reveals that six months after his May 2008 arrest, Gonzalez located and provided prosecutors with the "complicated" and "lengthy" password to decrypt his laptop, which contained "a vast array of historical data and communications" that helped the government indict other members of Gonzalez's team, and could be used in future search warrants. It also reveals that Gonzalez drew prosecutors a map that helped them find more than $1.1 million that he had buried in his parents' backyard.
Ultimately, how much money was stolen and how many lives were ruined by the identity thefts will probably never be known. And many people are still cleaning up the mess made of their credit histories from the thefts of credit card data by these hackers.