Digital Transactions Authoritative, insightful and timely information for payments professionals
A federal indictment announced on Thursday against four Russians and a Ukrainian man casts new light on some of the biggest breaches of payment card data in recent years.
The defendants, affiliated with notorious computer hacker Albert Gonzalez, who is serving a 20-year prison sentence but named as one of four co-conspirators in the new indictment, allegedly were involved in data breaches or the sale of stolen data from 16 companies and caused at least $300 million in losses for just three of the firms.
The defendants, who were charged with wire fraud, conspiracy, or unauthorized access to computers, reportedly were involved in breaches, some highly publicized, at payment processors Heartland Payment Systems Inc., Global Payments Inc., Euronet Worldwide Inc., a Jordanian merchant acquirer for Visa transactions, and the Singapore affiliate of Diners Club International.
They allegedly stole 30 million card numbers from British processor Commidea Ltd. in 2008. They also targeted retailers 7-Eleven Inc., Hannaford Bros. Inc., JCPenney Inc., Wet Seal Inc., and the big French chain Carrefour S.A.
The men mostly harvested or sold payment card numbers to others, who in turn used the data to make counterfeit cards. But they also fished for data from such companies as the NASDAQ electronic stock market, business-news publisher Dow Jones, and airline JetBlue.
Paul J. Fishman, the U.S. attorney for New Jersey, announced the indictment in Newark along with officials from the U.S. Department of Justice and the U.S. Secret Service, which led the investigation. The indictment covers intrusions between 2005 and 2012. A statement from Fishman’s office calls the combined hackings “the largest such scheme ever prosecuted in the United States.”
In a typical breach, the hackers probed Internet-connected corporate computer networks for vulnerabilities in their databases, then used so-called SQL (Structured Query Language) injection attacks to infiltrate the networks and plant malicious code, or malware, that could keep access open. They also would use “sniffer” programs to find and collect targeted data. The hackers used servers at various U.S. and worldwide locations to store malware, stage their attacks, and receive stolen log-in credentials and other data.
While many of the cited incidents are familiar to the payments industry, the indictment offers fresh details about some. For example, Global Payments never said much about how its breach happened, but the indictment says that between January 2011 and March 2012, a co-conspirator managed to insert malware dubbed “medll.exe” into the processor’s computer network. That malware already allowed outside users, employing servers in Germany, to run programs on Euronet’s network. Medll.exe also used the same unique encryption key as the malware involved in the Dow Jones and JCPenney hacks.
Through the German servers, the hackers accessed Internet Protocol addresses associated with Global Payments. Ultimately, they stole 950,000 card numbers and caused losses of $92.5 million, the indictment says. Global Payments confirmed the breach late in March 2012. A spokesperson for the Atlanta-based company declined comment.
The Euronet breach, which began in July 2010, compromised 2 million cards. A spokesperson for Leawood, Kan.-based Euronet, which does most of its business outside North America, did not respond to a Digital Transactions News request for comment.
Other processor breaches mentioned in the indictment include:
• Heartland, where a hack beginning in late 2007 compromised 130 million card numbers—the biggest ever payment-card breach—and caused $200 million in losses.
• Ingenicard US Inc., a Miami-based prepaid card and cash-access provider through ATMs and agents. A 2012 breach resulted in the theft of card numbers used to make $9 million in fraudulent withdrawals in 24 hours.
• Visa Jordan, where a 2011 breach resulted in the theft of 800,000 card numbers. The indictment says Visa Jordan is a licensee of Visa Inc., the biggest payment card network. A U.S.-based spokesperson for Visa Inc. says the Jordanian company is a third-party acquirer processor not affiliated with Visa Inc.
• Diners Singapore, a unit of Diner Club International, which is owned by Discover Financial Services. A June 2011 breach there compromised 500,000 cards, resulting in $312,000 in losses.
Two of the Russian defendants were arrested in June 2012 in the Netherlands. One, Dmitriy Smilianets, has been extradited to the U.S. and remains in federal custody while the other, Vladimir Drinkman, remains in the Netherlands pending extradition. The three others—Alexandr Kalinin and Roman Kotov of Russia and Mikhail Rytikov of Ukraine—remain at large, the U.S. Attorney’s office in New Jersey said. Kalinin and Drinkman previously were charged as “Hacker 1” and “Hacker 2” in the 2009 indictment charging Gonzalez with various corporate data breaches, including Heartland’s.
Avivah Litan, a security-technology analyst at Stamford, Conn.-based Gartner Inc., says that while SQL injection attacks can be difficult to defend against, so-called layered-security measures should be able to thwart most of them. “The moral of the story here is these companies are overwhelmed with all the security measures they need to take,” she says. “Maybe they didn’t have the right products or didn’t have the right secure-coding practices.”
