What do you think? Leave a respectful comment.

The video for this story is not available, but you can still read the transcript below.
No image

Record-setting Cyber Theft Stirs Questions on Security

The Justice Department indicted three men on Monday for stealing more than 130 million credit and debit card numbers by hacking into the computer systems of five major companies. Cyber-securiity experts discuss the case with Ray Suarez.

Read the Full Transcript

  • RAY SUAREZ:

    It’s a case the Justice Department is calling the largest credit and debit card data breach in U.S. history. Twenty-eight-year-old Albert Gonzalez and two Russian co-conspirators are charged with stealing more than 130 million card numbers between October 2006 and May 2008.

    The trio allegedly hacked around the firewalls of several companies’ computer systems, including card payment processor Heartland Payment Systems, supermarket chain Hannaford Brothers, and convenience store chain 7-Eleven.

    It’s a record-setting breach, breaking the previous mark held, federal prosecutors say, by the same Albert Gonzalez. The Miami man was already in federal custody. He previously had been charged in identity theft cases involving the restaurant chain Dave & Buster’s and the retailer T.J. Maxx.

    With this latest cybersecurity breach, consumers are asking themselves, how safe is my financial information?

    For some answers, we turn to Kim Zetter. She’s been covering this story for Wired.com. And Rosetta Jones, she’s vice president for corporate relations at Visa.

    Kim Zetter, how does the government say Albert Gonzalez did what they’re saying he did?

  • KIM ZETTER, Wired.com:

    Well, he worked with some co-conspirators who — they chose their targets by looking at Fortune 500 company lists. And once they found their target, they did sort of reconnaissance to find out what kind of processing system they used for processing their credit and debit cards. Once they knew that, they were able to look at what kind of vulnerabilities might exist in the system.

    In the case of Heartland and Hannaford and 7-Eleven, I think we know that they used a SQL injection attack on all of them. And a SQL injection attack is a pretty kind of standard attack that can be prevented if the server is configured correctly. And in these cases, it’s showing up over and over again that many companies aren’t configuring their servers correctly.

  • RAY SUAREZ:

    So they did the digital equivalent of casing these places before trying the attack?

  • KIM ZETTER:

    Yes, exactly. In some cases, they went onto the Web site of the company, and the Web sites gave them information that helped them infiltrate the companies. The Web sites can tell them what kind of processes they’re using and that kind of thing.

    And in the case of Heartland, you know, Heartland is a credit card, debit card processor, so it’s sort of the middleman between retailers and banks. And so if you hit a processor like that, then you’re getting millions of cards, as they did in this case.

  • RAY SUAREZ:

    Rosetta Jones, the program, according to the government, that these fellows were using burrowed into the systems and then started exporting the data they were finding there to places outside the United States, to some places inside the United States, but also to Latvia, Russia, the Netherlands. Why?

  • ROSETTA JONES, Visa:

    Your question was why they were exporting data?

  • RAY SUAREZ:

    Well, why to those places? Is it harder to investigate, harder to prosecute once you ship the data off to somewhere else in the world?

  • ROSETTA JONES:

    We think there’s ample opportunity for the government to be involved to help international cooperation in catching the criminals. We think that is an important opportunity and a significant area where the government can be involved.

  • RAY SUAREZ:

    Have the two sides been learning from each other, the hackers and the institutions that are trying to fend off these attacks? Do they look for breaches and then exploit them and then your side tries to build new defenses?

  • ROSETTA JONES:

    Well, I think, as long as card data remains valuable, criminals are going to continue to seek that information. What we have to do as an industry is to work with financial institutions and with merchants to protect that card information. And we have to make sure that they’re adhering to strict industry data security standards.

    I think as an industry we also have to explore new ways to make that card data not valuable to criminals. And we’re looking at things like the introduction of dynamic data into the transaction. We think that has a good opportunity to help prevent fraud.

The Latest