An American man has been arrested in connection with a plot to steal the data of more than 130 million credit and debit cards.
Albert Gonzalez was indicted along with two Russian men on charges that they carried out the largest hacking and identity theft in U.S. history. Federal prosecutors alleged that the three men masterminded a global plan to steal data from more than 130 million credit and debit cards by hacking into the computer systems of five major companies, including convenience store chain 7-Eleven and credit-card processing company Heartland Payment Systems.
Gonzalez was also alleged to have played a part in the TJ Maxx data breach that led to more than 40 million credit card numbers being stolen, costing the parent company of the high street giant around $200 million.
Randy Abrams, director of technical education at ESET, claimed that whenever you use a credit card or a debit card there is information that can potentially be stolen, and in this case that is what happened as the companies handing the credit card information were hacked.
Abrams said: “If yours was one of the stolen cards, you didn't do anything wrong. Doing things like using high quality anti-virus software, a firewall, and using sound judgment as to where you surf the web can help reduce risk, but you cannot eliminate risk entirely. So do what you can, but realise that as long as other people have your data there will be some degree of risk.
However Abrams claimed that the bust is a good sign as it shows that law enforcement is coming around and international collaboration is on the rise, but there is still a long way to go.
“Hopefully if these people are convicted the judge will be savvy enough to hand down a sentence that is significant and has at least some deterrent value, although it will take a lot more than one case to begin making a dent,” said Abrams.
Rob Cotton, chief executive officer of NCC Group, said: “The large companies involved in this case have fallen short on data security, failed their customers and exposed them to potential losses. Irrespective of whether these companies were PCI DSS compliant; this yardstick is designed as the minimum requirement for data security, and companies, especially those who take high volumes of credit and debit card payments, must strive for the most robust, sophisticated security measures.
“This latest heist, the largest in American history, perfectly illustrates that the battle for security is an arms race. Hackers are becoming increasingly advanced in their methods, the tools they use and the knowledge they employ. Organisations must be at the cutting edge of technology to protect their own data and that of their customers. As we've seen in the cases of TK Maxx and Cotton Traders, a large breach can be severely damaging to a company's reputation.”
Andrew Clarke, senior vice president of Lumension, claimed although the arrest may be a victory for officials combating cybercrime, it is also a stern warning to retailers that being compliant by no means creates immunity to vulnerabilities.
Clarke said: “What is interesting is that the latest victim, Heartland, was declared PCI compliant by the QSA (Qualified Security Assessor) shortly before the breach took place. The question now is not whether the QSA is negligent in leaving Heartland exposed (in fact, the QSA contractually insulated for liability) or if Heartland was negligent in its security practices. The issue is that Heartland is paying the price for the breach – reportedly $32 million in recovery efforts.”