130 Million Credit and Debit Card Numbers Stolen – Is Yours Secure?

The largest case of ID theft ever prosecuted reads like a thriller. A small group of men stole more than 130 million credit and debit card numbers between 2006-2008. At the same time, the ringleader, Alberto Gonzalez, 27, played informant for federal investigators helping them catch his cohorts.

It appears that at the ripe age of 22, Gonzalez began his career into ID theft stealing Credit card information from a string of stores including Office Max, Barnes & Noble, Marshalls, and TJ Maxx, 7-Eleven, Heartland Payment Systems, and at least two unnamed national retailers. It is still unclear how many of these credit and debit card numbers were then sold online through the internet black market and used by other criminals to make unauthorized purchases and withdrawals from banks.

It is also unclear whether all victims have been notified that their cards were stolen as not all states have laws requiring stores to notify consumers of data breaches. NOTE: As of July 27, 2009, forty-five states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information according to the National Conference of State legislatures.

Speaking about the case and the involvement of Gonzalez in so many data breaches Erez Liebermann, an asst. U.S. attorney in the Justice Department’s New Jersey office, said it suggests that “perhaps the individuals capable of such conduct are a tighter-knit group than may have been previously thought.”

The indictment alleges that Mr. Gonzalez and his conspirators (11 have been indicted) reviewed Fortune 500 companies and selected which companies to target then visited targeted company stores to determine which payment systems were used. The criminals then launched attacks against these sites using flaws in the SQL programming language, commonly used for databases. Their malware programs intercepted credit card transactions in real time and transmitted the numbers to leased computers in the U.S, the Netherlands and Ukraine.

Sobering reality

Richard Wang, manager of SophosLabs, said the case demonstrates that retailers and banks need to strengthen industry standards. Current practices are that major banks only agree to encrypt this data only when it is stored, moving forward credit card numbers should be encrypted when passed between computers.

Mr. Wang also doubted that the world had seen the last significant theft of credit card numbers. “I’m not sure how likely it is that they [prosecutors] are going to get the Russian co-conspirators, obviously there are still plenty of people with the necessary expertise to pull off these kinds of attacks.”

To learn more about his case read



Comments are closed.

%d bloggers like this: