Ex-Informant Charged With Largest Credit Card Heist in US

Albert Gonzalez, 28, a hacker already in jail awaiting trial for what was deemed the largest identity theft in the U.S., has apparently topped himself. Along with two unnamed coconspirators, Gonzalez has been indicted by a federal grand jury in New Jersey for an identity theft that trumps the previous record-setter: 130 million credit and debit card numbers stolen over a two-year period, from 2006 to 2008.

At one point, Gonzalez was working as an informant with the U.S. Secret Service to hunt hackers, while at the same time allegedly stealing data.

Storied Resume

In August 2008, the Department of Justice fingered Gonzalez as the ringleader of a hacker gang that stole 40 million credit card numbers -- then believed to be the largest single case of hacking theft. Consumers at T.J. Maxx, Barnes & Noble, Sports Authority and OfficeMax were victimized in that raid. Those charges were filed in the District of Massachusetts. Gonzalez will face them in a trial scheduled to begin in 2010.

In May 2008, the U.S. Attorney's Office for the Eastern District of New York charged Gonzalez in connection with the hacking of a computer network run by a national restaurant chain. Trial on those charges is scheduled to begin in Long Island, N.Y., in September 2009.

This latest episode is also the most audacious, according to the Department of Justice. The Miami-based Gonzalez and two Russian accomplices hacked into corporate databases five times over a two-year time period, using a SQL injection attack to target 7-Eleven, Heartland Payment Systems and Hannaford Brothers, a Maine-based supermarket chain, among other companies.

The three allegedly hacked into the networks and placed backdoor access in the systems to allow them to revisit without detection in order to steal the data. They would then send the data to servers in California, Illinois, Latvia, the Netherlands and Ukraine for resale to criminals.

If convicted, Gonzalez faces up to 35 years in prison and US$500,000 in fines.

The Department of Justice did not return the E-Commerce Times' call requesting comment in time for publication.

The fact that Gonzalez acted as an informant for the Secret Service and then turned around and played the government "is a common problem in law enforcement -- but particularly acute in the prosecution of cybercrimes," said Alexander H. Southwell, an attorney with Gibson Dunn & Crutcher's white collar defense and investigations practice.

"That is because prosecutors and law enforcement are very dependent on using insiders to penetrate criminal activity," Southwell told the E-Commerce Times. "These cases are hard to crack without somebody on the inside because of the nature of cybercrime."

Informers have a tendency to think that because they have protection from the government, they get a free pass on anything else they want to do, he noted.

Familiar Environment

Apart from the James Bond elements of these cases, they're much the same as other massive identity thefts. Despite episode after episode, the underlying breeding ground hasn't changed. That environment is characterized both by the government's patchwork approach to protection -- which often allows perpetrators to escape undetected -- and the reluctance of retailers to implement stronger security measures.

The United States follows a "sectoral" approach to cybersecurity, M. Peter Adler, an attorney at Pepper Hamilton, told the E-Commerce Times.

"This means that regulations and industry standards pertaining to information security may vary slightly for companies in healthcare, financial services, [firms that have] government contracts or that use payment cards," he explained.

"Layer state laws on this, such as those in Massachusetts and California, and a company is left with a patchwork quilt of protections that are often not completely understood and that can result in security gaps," said Adler, adding that what the country really needs is a unified and comprehensive approach to cybersecurity that will keep up with the hackers.

The private sector must step up as well, said Robert Siciliano, CEO of IDTheftSecurity.com.

"Credit card companies, banks and retailers ... clearly make huge profits that trump the losses from fraud -- otherwise, they'd do something to stop fraud," Siciliano told the E-Commerce Times.

"Credit card fraud can be stopped dead with numerous technologies that make the data useless to the thieves," he noted, "but until banks, retailers and the credit card companies adopt them, the bleeding will continue."

The recession is not helping, either.

Even if the government were strongly pushing more protective measures, said Adam Levin, cofounder of Identity Theft 911, it would have to balance those against the inevitable legitimate purchases stymied by such measures.

Furthermore, state governments in the forefront of enforcement have been forced to cut back because of budget cuts, he told the E-Commerce Times.

"Ultimately, it won't be the government that solves this problem, but ultimate regulators of our economy -- class action attorneys," Levin concluded.