NEWARK, NJ -- Federal prosecutors have indicted Albert Gonzalez, 28, on charges that he and two accomplices were responsible for theft of credit and debit card data from five major companies, including Heartland Payment Systems (Princeton, NJ), between October 2006 and May 2008.
The indictment in the United States District Court here includes two unnamed Russians who allegedly conspired with Gonzalez to conduct the exploit.
Other victims identified in the indictment include 7-Eleven Inc. (Dallas); Hannaford Bros. (Portland, ME), a regional supermarket chain; and two more retailers that were not identified.
Gonzalez has been held in Brooklyn, NY, since May 2008 accused of endeavoring to compromise the network of Dave & Buster's (Dallas), a national restaurant and amusement chain. He also faces charges in Boston relating to a 2005 theft of data from T.J. Maxx stores.
The recent indictment accuses Gonzalez and the two Russians of stealing information for more than 130 million cards during the 20-month period. If convicted, they face sentences of up to 35 years.
Gonzalez has been known to law enforcement agencies since 2003, when he was arrested in New Jersey. He then cooperated with investigators to identify his confederates in the widespread but shadowy world of commerce in stolen identities. The latest indictment states that he later reconnected with that world and went back to planning lucrative security breaches.
Investigators explained that Gonzalez and his cohorts made use of a weakness in SQL (Structured Query Language) that allows hackers to "inject" new instructions into cardholder databases, then run a malicious program that relays transaction data to the culprits' computers when a victim uses his or her card. The three are accused of employing computers in Ukraine, Latvia, The Netherlands and the U.S. to receive the stolen information. Among other things, successful pilfering of card data apparently permitted the perpetrators to withdraw large sums of money from automated teller machines.
According to a story in The Wall Street Journal, the indictment didn't estimate the losses associated with the alleged activities, nor did it explain how the suspected cybercrimals might have profited from the stolen numbers. The paper reported that hackers typically sell batches of credit-card data online. According to the Journal's investigation, the current asking price in online forums is $10 to more than $100 per account profile, depending on the account's limit.
Wire fraud has exploded in recent years because wire transfers now use networks that connect to the Internet. The Treasure Department estimated that more than 55,000 incidents of wire fraud have occurred since 1998, and more than half of them transpired in the past two years.