Three Indicted In Huge Identity/Data Breach

ScentCone and other readers let us know about an indictment just unsealed in federal court for stealing 130 million credit cards and other data useful in identity theft, or just plain money theft. The breaches were at payment processor Heartland (accounting for the bulk of the 130M), Hannaford, 7-11, and two unnamed "national retailers." Interestingly, the focus of the indictment, Albert "Segvec" Gonzalez, is currently awaiting trial for masterminding the TJX break-in, which until Heartland counted as the largest credit-card theft ever. The indictment cites SQL injection attacks as the entry vector. Two unnamed Russia-based conspirators were also indicted. Securosis has analysis of the security implications of the breach ("These appear to be preventable attacks using common security controls. It's possible some advanced techniques were used, but I doubt it") and the attackers' methodology.

Losing faith in the system

[AB3A]

These credit card processing companies had better get their acts together fast, or they'll be sunk by so many lawsuits that they won't be able to stay in business.

Insurance companies will see this sort of business as a radioactive risk. They'll let existing contracts expire and quietly back out --UNLESS these companies get serious about their data security.

There is a huge opportunity for someone to make some real coin doing this sort of thing, but it will take a mindset that these people have been loath to accept: People really are out to get them.

Hate to say it...

[loteck]

but by the looks of one of the linked articles, any standardized internal controls audit should have seriously mitigated the risks of these types of attacks being possible. These guys are dealing with credit cards, right? Where was PCI compliance?