"TJX hacker" indicted for huge Heartland breach: SQL inj. FAIL

The alleged thieves of 130,000,000 credit and debit card details have been charged. The cases at Heartland Payment Systems, 7-Eleven, and Hannaford Brothers are in addition to Albert Gonzalez' previous charges, for the TJX breach. In IT Blogwatch, bloggers wonder when IT people plan to get serious about SQL injection and other security vulnerabilities.

By Richi Jennings. August 19, 2009.

Your humble blogwatcher has selected these bloggy morsels for your enjoyment. Not to mention suing Facebook...

Dan Goodin registers his discontent:

Federal authorities have charged a previously indicted hacker with breaching additional corporate computers and stealing data for at least 130 million credit and debit cards, the biggest identity theft case ever prosecuted in the United States. Albert "Segvec" Gonzalez and two unnamed Russians were indicted on Monday for attacks that hit credit card processor Heartland Payment Systems, retailers 7-Eleven and Hannaford Brothers, and two unidentified companies. The 28-year-old resident of Miami already stood accused of perpetrating a breach on stores owned by TJX.


Documents filed in US District Court in Newark, New Jersey claim that ... the trio used SQL injection attacks to install sniffer software on the companies' servers to intercept credit card data as it was being processed. ... The breach has proved to be a major embarrassment for Heartland, which ... has so far allocated $12.6m to cover costs stemming from the loss of sensitive card-holder data. ... If convicted, each faces a maximum of 35 years in prison and $1.25m in fines.

Kim Zetter adds:

The constellation of hacks connected to the TJX hacker is growing. ... these are just the latest in a string of high-profile breaches that have been connected to Gonzalez. He and 10 others were charged in May and August 2008 with network intrusions into TJX, OfficeMax, Dave & Busters restaurant chain and other companies. Jury selection is slated to begin Sept. 14 in one of those cases.


Gonzalez was a Secret Service informant who once went by the nickname “Cumbajohnny.” He was a top administrator on a carding site called Shadowcrew when he was arrested in 2003. Authorities discovered his connection to Shadowcrew and soon put him to work undercover on the site ... [which] led to the arrest of 28 members of the site in October 2004. After the site went down, Gonzalez changed his nick to “Segvec” and moved to Miami where he allegedly resumed his life of crime.

Jacqui Cheng asks, "Feel like checking your credit report yet?":

The [TJX] theft ... occurred, unsurprisingly, due to glaring security holes in the computer systems that process and store payment information. Gonzales' success came for similarly stupid reasons.


It turns out that one of the systems in the payment processing chain had been infected with an unidentified bit of malware designed to track and report the magnetic information stored on the back of a credit card as that data was sent through the system. Though Heartland said that no personally identifiable information was transmitted, that magnetic data could easily be transferred to a new physical card.

Dennis Fisher says it's "Sadly familiar":

The news ... shows that law enforcement is indeed stepping up its work on cybercrime. But it also provides what is probably the clearest evidence to date that the people executing these attacks are highly competent, organized and motivated. ... What IT security teams and other interested parties should be concerned with are how these attacks happened and the level of organization and professionalism involved.


This was not something that this group did on a lark. They put a considerable amount of time and effort into this plan. They knew what they were looking for, they knew where to find it and they knew how to get it. And once they had their plan in place, it appears that their targets made it all too easy for them to succeed. SQL injection vulnerabilities are a pervasive and insidious problem, but they're also well-understood and there are effective methods for finding and fixing them.

Objects in J.R. Raphael's mirror may be closer than they appear:

Put into perspective, the Heartland case is far above and beyond any data theft in the past; ... the number of affected accounts in the hack is equal to nearly half the total number of compromised accounts in all breaches on record since 2005.

  To be fair, that total number is likely on the low side: Many breaches have unknown numbers of affected records ... and some cards may have been breached multiple times. Still, it provides a rough estimate of where this hack stands in the big picture.

Rich Mogull rolls his eyes:

It looks like we now know exactly how all these recent major breaches occurred.


No surprises. All preventable, although clearly these guys know their way around transaction networks if they target [Hardware Security Modules] and proprietary financial systems. Seems like almost exactly what happened with CardSystems back in 2004. No snarky comment needed.

So what's your take?

Get involved: leave a comment.

Don't miss out on IT Blogwatch:

And finally...

After posting her photos to Facebook, Beck was quite surprised to discover her photos had been posted to Facebook. Outraged, she’s charging the social network for disseminating her “digital images… without her consent, knowledge, or compensation.”

Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and spam. A 24 year, cross-functional IT veteran, he is also an analyst at Ferris Research. You can follow him as @richi on Twitter or richij on FriendFeed, pretend to be Richi's friend on Facebook, or just use good old email: itblogwatch@richij.com.

Copyright © 2009 IDG Communications, Inc.

Shop Tech Products at Amazon