Biggest-Ever Data Breach: 3 Charged1 Billion Email Addresses Allegedly Stolen
The U.S. Justice Department says three men have been charged in connection with what they say is the biggest-ever email address breach. The incident allegedly resulted in the theft of more than 1 billion email addresses from more than 100 different businesses and left at least 60 million consumers at risk from follow-on spam and phishing attacks. Two of the men who have been charged are now in U.S. custody, but one remains at large.
As part of the case, two Vietnamese citizens - Viet Quoc Nguyen (a.k.a. Vandehiu, Peter Nguyen), 28, and Giang Hoang Vu (a.k.a. Lee Vu), 25, who were both residing in the Netherlands - have been charged with hacking into U.S. email service providers. In addition, Montreal-based Canadian David-Manuel Santos Da Silva (a.k.a. Jake, Lusitano), 33, was charged with helping the two men knowingly convert stolen email addresses into $2 million in profits via his affiliate-marketing company, called 21 Celsius, which operated a site called Marketbay.com.
"These men - operating from Vietnam, the Netherlands, and Canada - are accused of carrying out the largest data breach of names and email addresses in the history of the Internet," says Assistant Attorney General Leslie R. Caldwell. "The defendants allegedly made millions of dollars by stealing over a billion email addresses from email service providers."
Nguyen was allegedly behind data breaches at multiple email service providers, including Epsilon Data Management, an online marketing unit of Alliance Data Systems Corp. The company notified customers in April 2011 that it had detected a network intrusion the previous month that had exposed confidential data, including email addresses for customers of such banks as Capital One, Chase, Citi, U.S. Bank and Visa, as well as customers of businesses ranging from Kroger and Marriott International to Verizon and Walgreens. Ultimately, email addresses from more than 100 companies and brands were reportedly exposed by the breach.
According to a 29-count indictment against Nguyen and Vu, which was filed in 2012 and only fully unsealed last week, Nguyen - who's described as a "computer hacker" - targeted at least eight ESPs via phishing attacks from February 2009 until June 2012. When employees at the targeted ESPs opened the messages, their PCs were potentially infected with malware that created a backdoor on the system, allegedly allowing Nguyen to gain direct, unauthorized access to the system and download any customer data being stored there. In other cases, authorities say that the phishing attacks resulted in a keylogger being installed, which intercepted account log-in information and routed it to the attackers. In some cases, the court documents say, Nguyen commandeered the hacked ESPs' systems to launch follow-on phishing attacks against other ESPs.
Affiliate Marketing Scheme
Nguyen used tens of millions of stolen email addresses in email marketing campaigns that were designed to direct recipients to sites with which he was associated, according to court documents. "Nguyen was paid by an affiliate-marketing company a percentage of all sales completed through those websites, thereby obtaining money from the unauthorized email campaigns," the court documents allege.
Vu has been charged with helping Nguyen by sending unauthorized email campaigns, as well as producing related artwork and helping to build affiliate-marketing websites.
Some of the products featured in the spam campaigns were allegedly also fraudulent or illegitimate. "For example, in one 'spam' attack directed by Nguyen, the unsolicited emails promoted a product called 'The New Adobe Acrobat Reader,'" according to the indictment against Da Silva. "If the recipient clicked on the hyperlink contained on the unsolicited email, the recipient was directed to a website that promoted the purchase of 'Adobe Reader 10' for approximately $65. In fact, the product being sold on Nguyen's affiliate marketing website with Marketbay.com was not an Adobe-branded product and was not authorized for sale by Adobe."
Nguyen Remains at Large
Vu was arrested by Dutch police in 2012 and extradited to the United States in March 2014. On Feb. 5, 2015, he pleaded guilty to conspiracy to commit computer fraud, and is due to be sentenced on April 21, 2015. Da Silva was arrested for conspiracy to commit money laundering at a Florida airport in February 2015, while on a business trip, his lawyer tells Le Journal de Montreal. He's due to appear in court March 17. Authorities say that Nguyen is a fugitive and remains at large.
U.S. officials say the charges against the three men and related arrests have been the culmination of several years' worth of work, and included a search warrant that the FBI executed in August 2012, in conjunction with Dutch law enforcement officials, which helped disrupt related attacks. "The federal indictments, apprehensions and extraditions in this case represent several years of hard work as the FBI and its cadre of cyber-trained agents and technical experts acted quickly to stop the ongoing damage to the numerous victim companies as a result of these individuals' hacking activities," says J. Britt Johnson, FBI special agent in charge of the bureau's Atlanta field office.
Epsilon Applauds Arrests
Epsilon has applauded the arrests. "Epsilon confirms that it is among the victims of the cybercrime referenced in the Department of Justice's indictment unsealed on March 5 against three individuals for their roles in hacking email service providers throughout the United States," the company says in a statement. "We are pleased with the outcome of the investigation carried out by the U. S. Secret Service and the resulting indictment by the Department of Justice, and thank them for bringing this criminal activity to prosecution. Data protection is, and always has been, the top priority at Epsilon, and businesses and law enforcement must work together to prevent this type of criminal activity."
Epsilon's data breach was the subject of a Congressional inquiry in June 2011 that resulted in the call - not for the first time - for a federal data-breach notification law to replace the patchwork of states' laws now in place. Congress has yet to pass such a law.