3 charged in largest U.S. identity-theft case
A federal grand jury indicted three people on charges of hacking into the files of Heartland Payment Systems, the credit- and debit-card payment-processing giant, last year, as part of an investigation the Justice Department is calling the largest identity-theft case ever prosecuted.
A federal grand jury indicted three people on charges of hacking into the files of Heartland Payment Systems, the credit- and debit-card payment-processing giant, last year, as part of an investigation the Justice Department is calling the largest identity-theft case ever prosecuted.
According to indictments returned yesterday in a New Jersey federal court, the government believes the same people were involved in a string of high-profile data breaches from October 2006 to May 2008, including intrusions at Hannaford Brothers and 7-Eleven.
In total, the government alleges, the people stole data on more than 130 million credit and debit cards from Heartland, of Princeton, N.J.
One of the accused, Albert Gonzalez, 28, of Miami, was indicted last year for his alleged role in several other major data breaches, including ones at TJ Maxx, Barnes & Noble, BJ's Wholesale Club, Boston Market, DSW, Forever 21, Office Max, and Sports Authority.
Authorities say the breaches were the result of hackers in the United States and Eastern Europe working in tandem to target known security weaknesses in computer systems.
"This investigation marks the continued success of law enforcement in tracking down cutting-edge hacking schemes committed by hackers working together across the globe," said Ralph J. Marra Jr., acting U.S. attorney for the district of New Jersey.
The indictments returned yesterday include two other people accused in the Heartland and Hannaford breaches, described only as "Hacker 1" and "Hacker 2," both of Russia. All three are charged with two counts: conspiracy to gain unauthorized access to computers, to commit fraud in connection with computers, and to damage computers; and conspiracy to commit wire fraud. Each defendant faces a maximum of 35 years in prison, as well as more than $1 million in fines, or twice the gain resulting from the offense, whichever is greater.
Gonzalez was previously indicted for his alleged role in the TJ Maxx hacks, among others, and is detained in Brooklyn, N.Y., pending trial. He has pleaded not guilty in that case.
Heartland disclosed the breach in January. At the time of the intrusion last summer, Heartland was processing 100 million payments for at least 250,000 businesses each month. The company has not disclosed how many credit and debit accounts may have been compromised in the breach, although at least 650 financial institutions have been affected, according to BankInfoSecurity.com.
In a June filing with the Securities and Exchange Commission, Heartland said the data breach had cost it $32 million. But the final bill may be far higher: The breaches at TJ Maxx have cost the company at least $200 million to date, according to a filing with the SEC.