U.S. Fingers TJX Hacker in Heartland Breach

The U.S. Department of Justice has charged three hackers with the theft of over 130 million credit cards through data breaches that compromised businesses including Heartland Payment Systems, 7-Eleven, and supermarket chain owner Hannaford Bros.

One of the three, Albert Gonzalez, is already awaiting trial in jail after having been earlier charged with the attack on TJX, in which over 47.5 million credit card numbers were taken over several years.

At the time, the hack of TJX — which operates retailers including T.J. Maxx, Marshalls, HomeGoods and A.J. Wright — marked the largest breach of its kind.

In addition to Gonzalez, who is also in jail on minor charges from a third case involving the hack of a Long Island restaurant chain, the DoJ this week also charged two unnamed Russian hackers in the Heartland, 7-Eleven and Hannaford Bros. breaches.

All three face charges for orchestrating breaches that already cost Heartland alone over $12 million and that made off with a staggering amount of consumer data.

“As far as we know, this is the largest number of credit cards ever stolen in a single instance,” Richard Wang, Sophos Labs’ U.S. manager, told InternetNews.com.

The attacks began in October 2006 and used computer systems across the U.S. as well as systems in Latvia, the Netherlands and Ukraine. The attackers used SQL injection attacks to place malware on vulnerable systems, sniffed for valuable data, and then sent that data to the servers they used, according to the indictment.

7-Eleven said that the breach only affected some transactions on its
network. “The company became aware in late 2007 that a security breach had
occurred. The affected transactions were limited to customers’ use of
certain ATMs, owned and operated by a third party, located in 7-Eleven
stores over a 12-day period from October 28, 2007, through November 8,
2007,” a 7-Eleven representative said in an e-mail to

“The charges announced today relate to a different pattern of hacking activity that targeted different corporate victims and involved different co-conspirators,” said the DoJ in a statement.

Gonzalez could face up to 25 years in jail and a fine of up to $500,000 if convicted of the charges, Justice Department officials added. The case is still under investigation by the U.S. Secret Service, the DoJ said.

Similar attacks likely

The case highlights a known vulnerability at many Web stores and corporate Web sites.

“An insecurity in a Web-based application can allow someone to send a command to a database,” said Sophos’ Wang. “People should not be able to do that without credentials.”

Unfortunately, the problem may be widespread, placing more companies at risk before they’ve had a chance to harden their systems.

“Currently, a lot of deployed Web apps have not gone through a thorough scrutiny, and that makes it easier to compromise them,” Rohit Dhamankar, director of DVLabs at TippingPoint, said in an e-mail to InternetNews.com.

In particular, future attacks may focus on companies outside of the financial realm.

“Other payment processors and major banks will have taken notice and made sure they’re not the next victim named in the next major indictment,” Wang said. “But I think we’ll see data loss from organizations whose focus is not handling financial data, such as retailers who are not specialists in data security.”

“It will be some time before everyone has their systems set up to defend against dedicated attackers like this,” he added.

Next page: Simple fixes to a complex problem.

Page 2 of 2

Others agreed that the lessons could highlight the fact that just because a payment processor or other company is compliant with Payment Card Industry (PCI) specifications, it’s not completely secure.

“In a strange way, these three hackers may have done a service to consumers and the business community at large by making it abundantly clear that PCI and other compliance requirements are not enough to fully protect customer data,” Ken Pappas, security strategist at Top Layer, said in an e-mail to InternetNews.com.

“Organizations need to realize that they must go beyond the check-box requirements of compliance regulations and implement a pervasive security strategy that uses advanced technology beyond simple firewalls to address their organization’s unique vulnerabilities and to proactively face evolving threats,” he said.

Simple fixes to a complex problem

There are a few things that any company can do to protect themselves against attacks. For starters: Encrypting data while in transit.

“That’s like having a safe at home for your data … but sending it through the mail on a postcard,” Sophos’ Wang said. “Anyone can read it.”

To prevent the initial intrusion, Web applications should be written to examine all queries. “Some very simple changes can be made (if you have access to the code) to make sure that all input is secure,” Wang said. “Most of the scripting and programming languages have functions that let you ‘sanitize’ the data so that it does not pose a threat on the back end.”

Wang added that companies should also look for attackers on the network.

“You can run software to examine network traffic to see if someone is probing the Web site, but the more important message is to secure the Web site so that even if they’re trying to break in, they cannot,” he said. “Businesses should secure the application code, and make sure that the underlying server and operating system are up to date with the latest patches.”

Companies that have the resources to do so can also do more.

“Within the business environment, you could segregate certain types of data,” Wang said. “Things like customer information and payment information can be held in a separate database with separate access restrictions. Then, even if they get to the site’s database, they cannot easily get from there to other databases.”

Meanwhile, applications may not need a full set of data, which could limit the amount of data a company has to store. “For example, if an application for an online store has to display the last four numbers of a credit card, maybe its backend database only needs those four numbers of the credit card,” Wang said.

Pleased at the outcome

For the many individual victims of the attack, the charges could mean some consolation.

The companies that were attacked also appear to be pleased with the news.

[cob:Special_Report]”Heartland Payment Systems would like to congratulate Department of Justice and Treasury officials on their effort to bring to justice some of the individuals behind numerous data breaches in recent years,” Heartland Chairman and CEO Robert Carr said in a statement.

“The commitment and persistence shown by law enforcement and other stakeholders in this matter has been exemplary. Heartland looks forward to lending whatever support we can to this investigation as well as the broader fight against global cyber criminals,” he said.

A Hannaford spokesperson said in an e-mail to InternetNews.com that the company is “pleased that the authorities have aggressively pursued this case to be in a position to bring an indictment against the alleged perpetrators of the crime.”

“7-Eleven would like to thank the federal authorities for their diligence
in pursuing the perpetrators of this crime. Because this matter is pending,
we are not providing further details,” 7-Eleven said in a statement.

Update adds additional information from 7-Eleven

News Around the Web