WASHINGTON A man arrested last year for allegedly stealing credit and debit card data from the Dave & Buster's chain on Monday was named in a federal indictment accusing him of illegally gathering information tied to more than 130 million cards, including those handled by Heartland Payment Systems, a processor that serves an estimated 60,000 restaurants.
Albert Gonzalez, 28, of Miami, and two unnamed co-conspirators were accused of conspiracy and conspiracy to engage in wire fraud related to what federal officials called the largest alleged credit and debit card data breach ever charged in the United States. The indictments were outlined in a statement from the Department of Justice citing officials from the U.S. attorney general's office and the Secret Service.
In addition to allegedly masterminding the breach of data systems at Heartland that was discovered in January, the trio is accused of stealing payment card data from convenience store operator 7-Eleven Inc. of Dallas and the Hannaford Brothers Co. supermarket chain of Scarborough, Maine. Those “corporate victims,” among others, were identified in Monday’s indictments.
Gonzalez, who remains in federal custody stemming from the Dave & Buster's case, faces up to 20 years in prison if convicted on the wire fraud conspiracy count and an additional five years in prison on the conspiracy charge, federal officials said.
The two-count federal indictment alleges that Gonzalez and his unnamed partners used a sophisticated hacking technique known as a "SQL injection attack,” which exploits vulnerabilities in computer network firewalls to steal credit and debit card data.
According to federal officials, the indictment details how Gonzalez and his cohorts allegedly began researching the credit and debit card systems used by their corporate targets in October 2006 to devise and execute complex computer attacks. Stolen data were then sent to computer servers operated by the alleged criminals in California, Illinois, Latvia, the Netherlands and Ukraine.
The trio used "sophisticated hacker techniques to cover their tracks and to avoid detection by anti-virus software used by their victims," according to the indictment.
Word of the federal indictments was followed by a statement from Robert O. Carr, Heartland Payment Systems chairman and chief executive, who said his firm wanted to "congratulate Department of Justice and Treasury officials on their effort to bring to justice some of the individuals behind numerous data breaches in recent years."
Heartland, which reportedly processes more than $50 billion in transactions annually from about 250,000 businesses nationwide, markets its services to the restaurant industry and has business relationships with the California Restaurant Association and Florida Restaurant & Lodging Association. Much as consumers who follow issuer guidelines are not responsible for unauthorized purchases tied to stolen cards or data, "merchants will not be liable for any losses associated with the breach," Heartland spokesman Jason Maloni has told Nation's Restaurant News.
Recounting Gonzalez's encounters with the justice system, federal officials said that in May 2008, the U.S. Attorney’s Office for the Eastern District of New York charged him for his alleged role in hacking a computer network run by an unnamed national restaurant chain, which through earlier court documents was identified as Dave & Buster’s. Trial on those charges is scheduled to begin in September in Long Island, N.Y. In August 2008, they said, the Justice Department announced an additional series of indictments against Gonzalez and others alleging a number of retail hacks affecting eight major retailers, including TJX Cos. of Framingham, Mass., and involving the theft of data related to 40 million credit cards. Those charges were filed in the District of Massachusetts, where Gonzalez is scheduled for trial in 2010.
The charges against Gonzalez announced Monday relate to a different pattern of hacking activity that targeted different corporate victims and involved different co-conspirators, federal sources said. The announcement of those charges was made jointly by Lanny A. Breuer, assistant attorney general of the criminal division; Ralph J. Marra Jr., acting U.S. attorney for the District of New Jersey; and Michael Merritt, U.S. Secret Service assistant director for investigations.
Contact Alan J. Liddle at [email protected].