Cyber thieves escaped detection, sucked data from TJX, Heartland for months

August 18th, 2009

albert-gonzalezIt took just a modicum of skill using tried-and-true hacking techniques for criminals to pull off the record-setting data breach of the retail chain TJX in 2007 –  and then top that by stealing even more data from payment card processor Heartland Payments System in 2008.

Yet the most unnerving revelation in the charges filed against Albert Gonzalez –  an alleged foot soldier in two separate cyber gangs respectively accused for the TJX and Heartland capers –  had to do with  their longevity.

Once the bad guys got inside each company’s firewall, they were able to extract a steady stream of data in each case for more than a year. “They found an open window, got in, but they didn’t  have access to everything right away,” says Michael Lloyd, chief scientist at network security firm RedSeal.

Gonzalez and cohorts allegedly used mundane hacking techniques to extract some 94 million records from TJX, parent of TJ Maxx and Marshalls, over the course of at least eight months, and 130 million records from Heartland over 14 months.

“They stayed inside the network chucking stuff out of the window, and nobody noticed, much less tried to stop them,” says Lloyd.

Companies, understandably, are  loathe to publicly discuss data breaches, making an accurate assessment of the problem difficult. Even so, evidence is mounting that what happened to TJX and Heartland is occurring widely across businesses, hospitals, universities and government agencies – anywhere large organizations gather and use business data.

Replaceable units

In the cyber underground, hackers like Albert Gonzalez, who is accused of playing a central role in the two of largest data breaches in U.S. history, are often easily replaceable units.

In August 2008, Gonzalez and 10 others — including one Estonian, three Ukrainians, one suspect from China and one from Belarus — were accused by federal authorities of cracking into databases at TJX, parent company of TJ Maxx and Marshall’s, and several other large retail chains. They were accused of stealing credit and debit card transactions records, including some 94 million records from TJX alone.

But even after Gonzalez was arrested and detained last summer, federal prosecutors say that a second, separate group of hackers he was involved in continued pilfering tens of millions of payment card account numbers from Heartland Payment Systems and four other companies. Gonzalez and two unnamed Russians — identified only as Hacker 1 and Hacker 2 — were indicted this week for those database breaches. Heartland alone lost some 130 million records, topping TJX’s loss total.

Court records from the TJX and Heartland cases show that Gonzalez, a hacker since 2002, built up a large network of contacts in the cyber underground, particularly among Russians. Security experts say Gonzalez and his cohorts specialized in harvesting large batches of stolen payment card account numbers to feed into an underground market run much like eBay and accessible via online forums.

“It is common knowledge that Russia is one of the easiest place in the world to get rid of this type of data,” says Sean Arries, security engineer at Terremark Worldwide. “Many Russian forums exist for the sole purpose of trading and selling this type of information.”

Grunt work

Prosecutors in the TJX case say Gonzalez and several different accomplices did grunt work: they drove around and assessed the computer systems of major retailers to find security holes. Once they identified technical flaws, expert hackers were brought in. They used various techniques, including SQL injection attacks, to locate and crack into databases holding records of credit and debit card transactions.

SQL injection attacks have been around for years. They require time and skill. A SQL attack involves querying the databases underlying a company’s public-facing web page until the database hiccups and accepts an injection of malicious code. The intruder then gains full access to the database — and a foothold to probe deeper into the company’s systems.

In the attacks on Heartland, prosecutors say Gonzalez helped with the comparatively simple tasks of transferring malicious programs onto the company’s computer servers. Meanwhile, Hacker 1 and Hacker 2 conducted the more delicate SQL injection probes remotely across the Internet.

Security experts say it is unlikely that Gonazalez would have continued pilfering from Heartland while being detained by the feds for the TJX break-in. Heartland President and CFO Robert Baldwin said in an interview that the company did not find definitive proof that its systems had been breached until mid-January of this year.

The New Jersey indictment issued this week does not specify if Hacker 1 and Hacker 2, who are still at large, continued stealing from Heartland in late 2008 and early 2009 with or without Gonzalez’s help.

Gonzalez is awaiting trial on the TJX charges, and he will face the Heartland charges after that. Based on accusations entered into court records against him, it is difficult to tell whether Gonzalez “was running the Russians, or the Russians were running him,” says Arries.

One thing is certain: the credit and debit card account numbers Gonzalez is accused of helping to steal moved quickly through online criminal forums. Like freshly caught fish, stolen data spoils fast, says Christopher Young senior vice president of technology at RSA, the Security Division of EMC.

“The fraud forums get populated with data coming out of these big database breaches very quickly,” says Young. “These guys work fast, and as the data theft continues over a long period of time, there is a constant flow of information to these forums.”

Payment card account numbers stolen from TJX, for instance, made it into the hands of counterfeiters who embedded the stolen numbers on the magnetic stripes of blank, wallet-sized cards, and used them to withdraw thousands of dollars from ATMs, according to prosecutors in the TJX case.

Stolen data flows quickly

One particular ring of money-launderers was led by Irving Escobar of Miami. Escobar and several accomplices were supplied with fake Bank of America Visa cards, embedded with live account numbers stolen from TJX. They strolled into Wal-Marts all across Florida and bought fistfuls of Wal-Mart gift cards, which can be used much like cash. Escobar was arrested and convicted of running a ring that fraudulently purchased hundreds of thousands of dollars worth of gift cards.

The two groups Gonzalez is accused of associating with appear to be “nothing more than the tip of the spear,” says Eric Laykin, managing director of Duff & Phelps, a financial advisory firm. “In order for criminal gangs to thrive in Russia, Eastern Europe and China, they require feet on the street here in the U.S. to scout out victims and locate the vulnerabilities that can be exploited.”

Photo of Albert Gonzalez

By Byron Acohido