Heartland Payment Systems: remember that decade-old breach?
What was then the sixth-largest payments processor in the US announced back in 2009 that its processing systems had been breached the year before.
Within days, it had been classified as the biggest ever criminal breach of card data. One estimate claimed 100 million cards and more than 650 financial services companies were compromised, at a cost of hundreds of millions of dollars. Prosecutors have said that three of the corporate victims reported $300m in losses.
The “biggest ever” designation applied to Heartland, but it was one of many corporate victims in a worldwide hacking and data breach scheme that targeted major networks. In total, the hacking ring responsible for the Heartland attack compromised 160 million credit card numbers: the largest such scheme ever prosecuted in the United States. Individual consumers also got hit, incurring what court documents said were “immeasurable” losses through identity theft, including costs associated with stolen identities and false charges.
It might be an old breach, but it hasn’t been collecting dust.
On Wednesday, the US Attorney’s office of New Jersey announced that two Russians belonging to the hacking ring that gutted Heartland, other credit card processors, banks, retailers, and other corporate victims around the world have been sent to federal prison.
Both had pleaded guilty in 2013.
Russian national Vladimir Drinkman, 37, had previously pleaded guilty to one count of conspiracy to commit unauthorized access of protected computers and one count of conspiracy to commit wire fraud. He’s been sentenced to 12 years in prison. Dmitriy Smilianets, 34, of Moscow, had previously pleaded guilty to conspiracy to commit wire fraud against a financial institution and was sentenced to 51 months and 21 days in prison: time served.
So that makes it three down: The infamous American “superhacker” and mastermind of the mammoth hacking ring behind the breach, Albert Gonzalez, was sentenced in March 2010 to 20 years in prison.
Three down, three more to go. On the fugitive list: Alexandr Kalinin, who, along with Drinkman, allegedly specialized in penetrating network security and gaining access to the corporate victims’ systems; Roman Kotov, another Russian hacker who allegedly specialized in mining corporate networks to steal valuable data; and Mikhail Rytikov, a Ukrainian who allegedly provided the gang with anonymous web-hosting services.
The conspirators handed the ripped-off data to Smilianets to sell; it was also his job to parcel out the proceeds from selling the ill-gotten data.
The gang targeted companies including NASDAQ, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard.
They turned the financial data – card numbers and associated data that they called “dumps” – into profit by selling it either through online forums or directly to individuals and organizations. Prosecutors said Smilianets sold the data exclusively to identity theft wholesalers.
The going rate was $10 for each stolen American credit card number and its data, $50 for each European card number and data, and about $15 a pop for Canadian credit cards and data. Repeat customers and those who bought in bulk got a discount. Then, the purchasers would encode each data dump onto the magnetic strip of a blank plastic card and cash it out by withdrawing money from ATMs or buying stuff with the cards.
To cover their tracks, Rytikov allegedly allowed his internet service provider (ISP) clients to hack away, ostensibly safe in the knowledge that he’d never keep records of what they were up to nor rat them out to police.
To read the original articlehttps://nakedsecurity.sophos.com/2018/02/19/hackers-sentenced-for-sql-injections-that-cost-300-million/