Here's a few details I find interesting in
this story:
* The hackers allegedly stole more than 130 million credit and debit card numbers from Heartland and Hannaford combined.
* Gonzalez and 10 others were charged in May and August 2008 with network intrusions into TJX, OfficeMax, Dave & Busters restaurant chain and other companies.
* The attack vector was SQL-injection
* The hackers tested their malware against some 20 different antivirus programs to make sure they wouldn’t be detected, and also programmed the malware to erase evidence from the hacked networks to avoid forensic detection.
* The thieves captured card account numbers and expiration dates and, in 20 percent of cases, the customer’s name as well.
* Gonzalez called his credit card theft ring “Operation Get Rich or Die Tryin.”
* Another hacker linked to the crime committed suicide in 2008.
* Gonzalez goes to trial in New York on September 14th for the Dave & Buster’s hack.
* Next year, Gonzalez faces trial in Massachusetts on the TJX hack and may eventually face trial in New Jersey on new charges levied against him this week for allegedly hacking into five other companies, including Heartland Payment Systems and 7-11, and stealing more than 130 million credit and debit card numbers — the largest data breach prosecuted in the United States to date.
Some are wondering if Gonzalez was hired to do these jobs for the Russian mob. I can find no coverage of such a link.
Two of my debt cards were involved in these breaches. One was replaced. My bank give me one year of free fraud monitoring on the other.
While we as law firm IT don't usually process credit card transactions, most of us have SQL databases, many of them Internet facing or running our websites.
As defenders what can we learn from the breach? Secure your web applications. SQL-injection is a common thread in many recent breaches. It's a quick and easy way to get behind your firewall.
Labels: Data Breach, Gonzalez, Heartland, SQL Injection, TJX
