By Brian Krebs
Washington Post Staff Writer
Tuesday, August 18, 2009; A11
A federal grand jury has indicted three people on charges of hacking into the files of the credit and debit card processing giant Heartland Payment Systems last year in what the Justice Department is calling the largest identity-theft case ever prosecuted.
According to indictments returned Monday in a New Jersey federal court, the government says the same three people were involved in a string of high-profile data breaches from October 2006 to May 2008, including intrusions at grocery chain Hannaford Brothers and 7-Eleven.
In total, the government alleges that the suspects stole data on more than 130 million credit and debit cards from Heartland alone.
One of the accused, a 28-year-old former Secret Service informant named Albert Gonzalez of Miami, was indicted last year for his alleged role in several other major data breaches, including ones at T.J. Maxx, Barnes & Noble, BJ's Wholesale Club, Boston Market, DSW, Forever 21, Office Max and Sports Authority.
Authorities say hackers in the United States, Russia and Eastern Europe worked together to target known security weaknesses in computer systems.
"This investigation marks the continued success of law enforcement in tracking down cutting-edge hacking schemes committed by hackers working together across the globe," said Ralph J. Marra Jr., acting U.S. attorney for the district of New Jersey.
The indictments do not name the other two alleged hackers, describing them only as "Hacker 1" and "Hacker 2" and saying they are from Russia. All three are charged with two counts: conspiracy to gain unauthorized access to computers, to commit fraud in connection with computers and to damage computers; and conspiracy to commit wire fraud. Each defendant faces a maximum of 35 years in prison and more than $1 million in fines or twice the monetary gain resulting from the offenses, whichever is greater.
Gonzalez is already detained in New York City, pending trial on last year's T.J. Maxx case, in which he has pleaded not guilty.
Gonzalez's attorney did not return calls seeking comment.
Prior to the T.J. Maxx breach, Gonzalez served as a confidential informant to the U.S. Secret Service following his arrest in 2003 for credit card fraud in another case. Government authorities have credited him with providing information that proved vital to "Operation Firewall," a crackdown in 2004 that resulted in the arrest of at least 28 members of an online bazaar where criminals traded in stolen personal and financial data.
Secret Service spokesman Malcolm Wiley declined to comment on what steps the agency took after Gonzalez's arrest in the T.J. Maxx case, except to say authorities "addressed it immediately."
Mark Rasch, a former cyber crime prosecutor at the Justice Department and co-founder of Secure IT Experts, a consulting firm in Bethesda, said that while it is not uncommon for informants to be involved in criminal activity, the government should have kept a closer eye on Gonzalez.
"It's notoriously difficult to work an informant and know everything they're doing, but 130 million stolen credit and debit card numbers means there was a big gap in that knowledge," Rasch said.
Heartland, based in Princeton, N.J., disclosed the breach in January. At the time of the intrusion last summer, Heartland was processing 100 million payments for at least 250,000 businesses each month. At least 650 financial institutions have been affected by the breach, according to BankInfoSecurity.com.
In a June filing with the Securities and Exchange Commission, Heartland said the data breach had cost it $32 million so far. But the final bill may be far higher: The breaches at T.J. Maxx -- which jeopardized an estimated 40 million debit and credit cards -- have cost the company at least $200 million to date, according to its own SEC filing.