NEW YORK, (Reuters) – Three men were indicted yesterday for allegedly stealing more than 130 million credit and debit card numbers in what U.S. authorities said they believe is the largest hacking and identity theft case ever prosecuted.
Albert Gonzalez, a former government informant already in jail in connection with hacking cases, and two unnamed Russians were indicted on charges related to five corporate data breaches from 2006 to 2008.
Card numbers were stolen in those breaches from credit-card processor Heartland Payment Systems and retail chains 7-Eleven Inc and Hannaford Brothers Co, prosecutors said.
The men targeted two other corporations, the U.S. attorney’s office in New Jersey said in the statement, without naming those companies.
Heartland Payment Systems and Hannaford Brothers had previously and separately acknowledged the breaches, but the scope of the fraud had not been known.
Authorities also for the first time tied those cases to Gonzalez, who was arrested last year on suspicion of hacking into a restaurant chain’s payment system.
Attorneys for Gonzalez were not available for comment.
Prosecutors said Gonzalez and the Russians, identified as “Hacker 1” and “Hacker 2”, targeted large corporations by scanning the list of Fortune 500 companies and exploring corporate websites before setting out to identify vulnerabilities.
A year ago, Gonzalez was indicted along with 10 others from five countries on accusations of stealing 41 million credit and debit card numbers from major retailers, including TJX Cos Inc, owner of the TJ Maxx and Marshall’s retail chains. Prosecutors said that ring caused more than $400 million in damages.
Prosecutors said Gonzalez and the other two men used numerous techniques to penetrate the computer systems.
Gonzalez was being held in a Brooklyn jail. Prosecutors would not comment on the whereabouts of the two Russians. All three were charged with conspiracy to gain unauthorized access to computers, to commit fraud in connection with computers and to damage computers, and conspiracy to commit wire fraud. Each faces up to 35 years in prison and large fines if convicted.
Prosecutors said in the statement that the suspects would seek to sell the data to others who would use it to make fraudulent purchases.
They cited one example in which they said the suspects went to retail locations to identify the type of checkout machines, and after further investigation into the computer systems they uploaded information onto servers that worked as hacking platforms.
“These servers, located in New Jersey and around the world, were used by the co-conspirators to store information critical to the hacking schemes and subsequently to launch the hacking attacks,” prosecutors said.
Heartland, based in Princeton, New Jersey, calls itself the fifth largest payments processor in the United States.
Representatives from Heartland and 7-Eleven were not available for comment. Hannaford Brothers referred questions to federal authorities.
