Three Charged in TJX and Heartland Breaches

The U.S. Department of Justice (DoJ) has charged three hackers with the theft of over 130 million credit cards through data breaches that compromised businesses including Heartland Payment Systems, 7-Eleven, and supermarket chain owner Hannaford Bros.

One of the three, Albert Gonzalez, is already awaiting trial in jail after having been earlier charged with the attack on TJX, in which over 47.5 million credit card numbers were taken over several years.

At the time, the hack of TJX, which operates retailers including T.J. Maxx, Marshalls, HomeGoods and A.J. Wright, marked the largest breach of its kind.

In addition to Gonzalez, who is also in jail on minor charges from a third case involving the hack of a Long Island restaurant chain, the DoJ this week also charged two unnamed Russian hackers in the Heartland, 7-Eleven and Hannaford Bros. breaches.

All three face charges for orchestrating breaches that already cost Heartland alone over $12 million and that made off with a staggering amount of consumer data. “As far as we know, this is the largest number of credit cards ever stolen in a single instance,” said Richard Wang, Sophos Labs’ U.S. manager.

The attacks began in October 2006 and used computer systems across the U.S. as well as systems in Latvia, the Netherlands and Ukraine. The attackers used SQL injection attacks to place malware on vulnerable systems, sniffed for valuable data, and then sent that data to the servers they used, according to the indictment.

7-Eleven said that the breach only affected some transactions on its network. “The company became aware in late 2007 that a security breach had occurred. The affected transactions were limited to customers’ use of certain ATMs, owned and operated by a third party, located in 7-Eleven stores over a 12-day period from October 28, 2007, through November 8, 2007,” a 7-Eleven representative said in an e-mail to

“The charges announced today relate to a different pattern of hacking activity that targeted different corporate victims and involved different co-conspirators,” said the DoJ in a statement.

Gonzalez could face up to 25 years in jail and a fine of up to $500,000 if convicted of the charges, DoJ officials added. The case is still under investigation by the U.S. Secret Service.

Similar Attacks Likely

The case highlights a known vulnerability at many Web stores and corporate Web sites. “An insecurity in a Web-based application can allow someone to send a command to a database,” said Sophos’ Wang. “People should not be able to do that without credentials.”

Unfortunately, the problem may be widespread, placing more companies at risk before they’ve had a chance to harden their systems. “Currently, a lot of deployed Web apps have not gone through a thorough scrutiny, and that makes it easier to compromise them,” Rohit Dhamankar, director of DVLabs at TippingPoint, said in an e-mail to

In particular, future attacks may focus on companies outside of the financial realm.

“Other payment processors and major banks will have taken notice and made sure they’re not the next victim named in the next major indictment,” Wang said. “But I think we’ll see data loss from organizations whose focus is not handling financial data, such as retailers who are not specialists in data security. It will be some time before everyone has their systems set up to defend against dedicated attackers like this.”

This article appears courtesty of