New Details on Global, Heartland BreachesCard Fraud Case Unveils More About Network Attacks
Three months after Global Payments Inc., an Atlanta-based payments processor, announced it had closed its investigation into a network hack and a data breach discovered in March 2012, federal authorities unsealed indictments against five hackers allegedly tied to this attack and many others (see Massive Fraud Scheme: How It Happened).
See Also: Rethinking Endpoint Security
The charges against four Russians and a Ukrainian who allegedly have been connected to Heartland Payment Systems hacker Albert Gonzalez bring some closure, not only to the Global case, but also to a number of others (see Card Fraud Scheme: The Breached Victims).
According to details included in the indictment, Global between January 2011 and March 2012, was attacked by a SQL injection used to install malware on the processor's computer network and payments processing system. More than 950,000 card numbers were stolen, the indictment notes.
But Global early on estimated the number of compromised U.S. credit and debit cards to be closer to 1.5 million.
Global executives declined to comment about the indictments.
Gonzalez was helping law enforcement track other hackers involved in a worldwide cybercrime ring known as the "Shadowcrew" at the time of some of the attacks, which he helped organize. In March 2010, Gonzalez was sentenced to 20 years in prison, the longest sentence at the time handed down for computer crime in a U.S. court.
Answers for Global, and Others
The Global breach, when it was announced, raised a number of questions about when the breach actually occurred and the type of information that may have been exposed.
Immediately after the breach, Global's CEO Paul Garcia said the breach was "manageable" and that Global was handling the investigation internally. While initial advisories from Visa and MasterCard suggested the breach likely occurred sometime between Jan. 21 and Feb. 25, 2012, an updated advisory from Visa issued in April 2012 suggested the breach may have dated back to June 2011.
Then, on Jan. 8, 2013, Global acknowledged its internal investigation revealed that information beyond card details may have been compromised. The company reported that unauthorized access to servers housing personal information collected from merchants that applied for Global's processing services had been discovered. Global at that time also said it could not determine the breadth of that personal data breach.
A breach-related class-action lawsuit filed in April 2012 against Global, which claimed the processor failed to maintain reasonable and adequate procedures to protect cardholders' personally identifiable information, was later dismissed.
The breach cost Global an estimated $92.7 million, company executives have said.
In addition to Global, Heartland also was named as a breached processor impacted by the five alleged attackers named in the New Jersey U.S. Attorney's indictment.
In 2008 Heartland's breach exposed 130 million U.S. debit and credit cards. At the time, it was the largest payments card breach ever recorded.
"Heartland Payment Systems joins various other organizations in praising the work that led to the indictment of four Russians and a Ukrainian in their alleged role, along with the already convicted Albert Gonzalez, in the largest hacking and data breach scheme in U.S. history," the company says in a statement. "Though Heartland's breach ended in 2008, we hope that this indictment further delivers the message that a 'prolific hacking organization' worldwide will be pursued and charged for crimes such as this one. Heartland will continue supporting various law enforcement organizations to help ensure that justice is served."